Cybersecurity Update: Cars, Planes and Trains


We began our investigation into the intersection of cybersecurity (or insecurity) and products liability last December in a post that highlighted vulnerabilities to malicious or unintentional tampering for consumer products.  See article.  Our analysis explained that when technology advances at a rate faster than the law, uncertainty about where liability should fall increases and litigation proliferates.   This is particularly true in the case of products vulnerable to cyber insecurity.   In a recent post, we further explored the litigation implications of a familiar consumer product with a new spin: the driverless car.  See article.   There, we studied the idea of preemptively accepting liability to remove uncertainty and reduce risks of litigation.  Here, we take a closer look at the legal implications of cyberattacks on vehicles, both automotive and aviation, compared to other recent cyber-litigation.

In the world of autonomous automobiles, the latest and greatest automotive offerings are connected through an integrated network that controls the vehicle’s entertainment and navigation systems.  Furthermore, lessons learned by one vehicle are imputed on all other vehicles via an immediate data upload.  While this shared vehicular brain will inevitably enhance road safety in some instances—driverless cars may learn to avoid the human behaviors that most often lead to roadside accidents—its autonomy will inevitably create  new vulnerabilities  to malicious or unintentional cyber-tampering.

For example, in July, hackers gained wireless control, via the Internet, of a Jeep Cherokee.   Infiltrating through the car’s entertainment system, the hackers were able to control the radio, air-conditioning, windshield wipers, steering functions, brakes, transmission and even seatbelts.   Luckily the hackers were not malicious, but instead were on a quest to advocate for greater cybersecurity through unveiling potential vulnerabilities—targeting companies they felt failed to heed earlier admonitions about cybersecurity inadequacies.  In other words, Fiat Chrysler Automobiles was aware of the Hackers’ ongoing research (though did not commission the attack) and simultaneously developed software patches to combat similar future attacks on its fleet.

Cybersecurity consultants have similarly exposed cyber vulnerabilities and issued warnings to aviation agencies, arguing that air traffic control systems may create a weakness that allows hackers to issue false commands to planes.  Other common carriers are also facing the potential of malicious hacks.  In April, the BBC reported on the potential that railroad signals were vulnerable to cyberattacks that would result in train collisions.  See article.

To underscore the litigation potential facing industries behind cyber-targets, one need only examine other recent data breach litigation.  Just last month,  a federal court in Minnesota granted class certification to several financial institutions in a case alleging negligence against Target Corporation arising from the cyber hack of its computer system in December 2013.  There, the data breach resulted in the exposure of millions of customers’ financial information allegedly requiring plaintiff banks to issue new cards to affected customers.  See In re: Target Corp. Customer Data Security Breach Litigation, 2015 U.S. Dist. LEXIS 123779 (D. Minn. Sept. 15, 2015).  In the cases of cybersecurity breaches on motor vehicles and common carriers, an added consequence of personal injury exists that will raise the potential damages in litigation against defendants.

We recognize the tremendous potential and current legal implications facing consumer products, automotive, railway and aviation makers and software developers as they battle to develop increased cybersecurity to prevent data breaches and malicious hacks.   We will continue to monitor advances in cybersecurity litigation as it relates to the new wave of technology-enhanced cars, planes and even trains!