A recently filed lawsuit illustrates the new litigation challenges that automakers will face as cars incorporate telematics and other connected car technologies. In a class action complaint filed in Bowen v. Porsche Cars N.A., Inc. in the U.S. District Court for the Northern District of Georgia on January 29, 2021, the owner of a 2011 Porsche vehicle claimed that a signal transmitted by Sirius XM Radio and “facilitated” by Porsche during a 2020 Memorial Day weekend promotional campaign caused a major malfunction in the “infotainment” system of his and “many” other Porsche vehicles. According to the complaint, after receiving this signal, the installed Porsche Communications Management (PCM) unit “would continuously reboot,” which “prevented Porsche owners from using the PCM . . . drained their car batteries, destroyed their PCM hard drives, and caused countless other inconveniences.”
The CFAA Claim Against Porsche
The vehicle owner asserted claims for himself and on behalf of a purported class of affected owners against the manufacturer for violation of the federal Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030, and related common law claims. Broadly speaking, the CFAA—a criminal statute enacted by Congress in 1986 in response to the then-new phenomenon of computer hacking—prohibits knowingly accessing a computer without authorization or exceeding authorized access and obtaining data, causing damage to the computer, or transmitting code that causes damage to the computer. The CFAA also creates a civil cause of action for someone who suffers damage or loss as a result of such activity.
Porsche has moved to dismiss the claims under Rule 12(b)(6) of the Federal Rules of Civil Procedure, arguing that the complaint does not state a claim against the manufacturer because it does not allege that Porsche (as opposed to Sirius) actually transmitted anything to the vehicle; in fact, Porsche noted in its moving papers that if any portion of the case survives the motion, the manufacturer “would introduce evidence demonstrating that it did not and cannot update PCMs remotely as alleged.” Porsche also argues that by purchasing a vehicle with an installed satellite radio, the vehicle owner consented to receive signals from Sirius, so that the signal (and its attendant receipt by the installed radio) could not have been unauthorized. Briefing was completed last month and the motion remains pending.
CFAA Claims Against Other Device Makers
This is not the first time that a CFAA claim has been asserted against the maker of a multifunctional device for transmitting code to those devices. The CFAA defines the term “computer” broadly to mean “an electronic, magnetic, optical, electrochemical, or other high speed data processing device performing logical, arithmetic, or storage functions,” excluding from that definition “an automated typewriter or typesetter, a portable hand held calculator, or other similar device.” With the convergence of technologies in recent years—Androids and other types of cellphone/handheld multifunction devices being obvious examples, but cars not far behind—the CFAA might reach just about any device that has a data processing capability.
In In re Device Performance Litigation, for example, the maker of an integrated communication device faced a major consumer class action asserting a claim for violation of the CFAA (among other claims) after the company in late 2017 transmitted an update for the installed operating system on devices manufactured and sold by the company. The manufacturer sent the update with a message that informed users that it was intended to address a “bug” that caused some devices—particularly older units with batteries that were beginning to degrade with the passage of time—to shut down unexpectedly, even when the device showed that the battery still had substantial power remaining. The consumer plaintiffs alleged that after they installed the updated operating system, they experienced significantly reduced processing speeds and other diminished performance, and that the manufacturer sent the update to conceal a battery defect, i.e. that the installed battery could not function for the useful life of the device.
The court in that case considered two separate motions to dismiss by the manufacturer. In its first order, the court concluded that the consumer plaintiffs had adequately pled that the manufacturer had caused “damage” to their devices “without authorization” in violation of § 1030(a)(5)(A) of the CFAA, but rejected a claim that the manufacturer had “accessed” the consumer plaintiffs’ devices “without authorization” in violation of § 1030(a)(5)(C) of the CFAA because the consumer plaintiffs had voluntarily installed the operating system on their devices. In re Device Performance Litig., 347 F. Supp. 3d 434, 451-52 (N.D. Cal. 2018). In an order on the manufacturer’s motion to dismiss an amended complaint, the court acknowledged the interplay between the manufacturer’s hardware warranty, which governed the terms on which the manufacturer had sold the battery and other hardware components in devices, and the software licensing agreement, which governed the terms on which the manufacturer licensed the operating system to device users, and dismissed claims against the manufacturer predicated on a “battery defect” theory. Id. at 1182-83.
Takeaways for Automakers
Recent advances in automotive technology, including telematics and other connected car technologies, are enhancing the ability of automakers to remain in contact with vehicles they manufacture. Given the expansive definition of “computer” under the CFAA, automakers should take appropriate steps to ensure that they are in compliance with the requirements of federal law when communicating with these computers on wheels.
Although the manufacturer was not able to avoid all exposure in the In re Device Performance Litigation, its process of requiring voluntary consent from consumers to install updated operating system software allowed the company to avoid at least some exposure under the CFAA. Moreover, maintaining a distinction between the hardware warranty covering installed components and the software license agreement covering software and related updates proved critical to the manufacturer’s defense of battery defect claims. Car manufacturers should likewise review their processes to ensure that they are taking appropriate steps to protect themselves as much as possible from claims like those asserted in these cases.