Last year I posted on our blog about the “Internet of Things,” and explored some ideas about how the IoT could generate new types of litigation and create complex challenges for e-discovery practice. At the time of my post, there were no reported cases in the U.S. implicating an IoT device, so my discussion was largely theoretical. (A case from Canada garnered some attention last year; it involved evidence from the plaintiff’s Fitbit device, which she used to support her personal injury claims.)
But not long ago the theoretical turned into reality, when a group of plaintiffs sued automakers Toyota, Ford, and General Motors. In their proposed nationwide class action, plaintiffs allege that the defendants sold unsafe cars, because their internet connectivity creates vulnerability to hackers, who could hypothetically take control of the cars’ breaking, acceleration, and steering. According to the complaint, “Defendants failed consumers … when they sold or leased vehicles that are susceptible to computer hacking and are therefore unsafe. Because Defendants failed to ensure the basic electronic security of their vehicles, anyone can hack into them, take control of the basic functions of the vehicle, and thereby endanger the safety of the driver and others.”
This lawsuit raises many interesting issues at the intersection of technology and law. But perhaps most significantly from a legal perspective, the plaintiffs do not allege that any car has actually been hacked yet. The suit rests on the mere possibility that such hacks could take place. Is that enough to sustain legal claims? Could other plaintiffs succeed with allegations that personal health and fitness information generated by a Fitbit might fall into the wrong hands? Or that an internet-connected pacemaker potentially could be hijacked, and its wearer murdered? To some extent, this issue may be clarified by the Supreme Court next term, when it hears Spokeo, Inc. v. Robins, No. 13-1339. In Spokeo, the Court will decide whether a plaintiff has standing to sue if she has not suffered any actual injury, but can nevertheless prove a violation of some federal statute. If the Court answers in the affirmative, the repercussions in class action practice—and potential ligation about IoT threats—could be quite broad.
In the meantime, what are some takeaways for e-discovery practitioners looking to stay abreast of IoT developments? Primarily, counsel your clients to think ahead about the legal risks of IoT data in their business, and what they can do to mitigate those risks. Encourage them to incorporate IoT devices into their information governance programs. Help them develop contingency plans for preserving and collecting IoT data reasonably likely to become relevant in litigation. And brainstorm with them about ways to affirmatively use IoT data to defend or support existing types of litigation—this information can create risk, but it can also create opportunities.
To brainstorm with DiscoverReady about the discovery implications of IoT litigation, contact us, and we’ll arrange an introduction with a member of our e-discovery consulting team.