ADT lawsuit for cyber attack liability / use our Standard Form Agreements and avoid class actions July 8, 2017

KEN KIRSCHENBAUM, ESQ
ALARM - SECURITY INDUSTRY LEGAL EMAIL NEWSLETTER / THE ALARM EXCHANGE
You can read all of our articles on our website     Having trouble getting our emails?   Change your spam controls and white list ken@kirschenbaumesq.com, secure.mybiz.com and mybiz.com 
**************************************************************************************************
ADT lawsuit for cyber attack liability / use our Standard Form Agreements and avoid class actions
July 8,  2017
***************************
ADT lawsuit for cyber attack liability / use our Standard Form Agreements and avoid class actions
**************************
Ken:
    The article below appears on the IPVM.com website and I thought everyone would find it interesting.
Michael Glasser CPP PSP PCI CISSP CSPM
North America Security Consulting Manager
Microsoft Global Security
********************
Response
*********************
    Thanks for sharing this and thanks to IPVM who authorized the article, written by the IPVM Team, to be re-published here.  Hacking, cyber security, data theft and corruption are all concerns the alarm industry needs to consider, as well as class actions.  Both of these issues are squarely addressed in the Standard Form Agreements.  So, don't be like ADT, use the Standard Form Agreement.  Here's the IPVM article.
*********************
No Hack, Still Liable, Court Finds ADT by IPVM Team
 
Recently, ADT has been in the news for a $16 million settlement for a cyber security vulnerability class action suit.
One of the most important and interesting points behind this settlement is a court order that found ADT could be found liable even if no actual hacks were proven. Many could see this as counterintuitive since what 'damage' had occurred if there was no hack / incident?
In this note, we examine that court order, how the Court reached that conclusion and what impact it might have on manufacturers and providers generally.
 
Executive Summary
A US California Court in Edenborough vs ADT found that ADT had omitted disclosing the vulnerability despite it having an obligation to do so:
the Court concludes that Plaintiff sufficiently alleges that ADT owed him a duty to disclose because ADT had exclusive knowledge of material facts unknown to Plaintiff.
The liability / risk still exists, even without an actual hack, since the court concludes that the provider (ADT here) should have disclosed the vulnerability and did not sufficiently do so.
 
Industry Knowledge
The California court explicitly calls out that the industry knew about these risks:
the publications cited by Plaintiff in the FAC suggest that the industry to which ADT belongs knew of the vulnerability of wireless devices long before Plaintiff contracted with ADT.
Consumers Not Expected To Know
At the same time, the California court found that consumers would not be expected to know of these risks:
that plaintiff had sufficiently pleaded superior knowledge and noting that "[w]hile prospective customers could have been tipped off to the possibility of [a defect], many customers would not have performed such a search, nor would they be expected to").
 
Rejects Lack of Hacking
ADT countered by emphasizing no proof of actual hackings but the court rejected that, arguing that a consumer might not have bought the offering if they knew:
a defect need not be proximate to be material. It is certainly plausible that a reasonable consumer would attach importance to the fact that their home security system could be easily be hacked and bypassed, even absent proven instances of such hacking.
 
General Exclusions Language Insufficient
The Court rejected ADT applying their general exclusion language, that is:
"ADT may not receive alarm signals if communications or power is interrupted for any reason" and "no alarm system can provide complete protection or guarantee prevention of loss or injury."
Finding it ambiguous, the Court found it did not cover the specific risk:
That language is not a disclosure of the allegedly omitted fact, namely that ADT's wireless systems are vulnerable to hacking, jamming, and other techniques.
 
Misleading Advertising / Deceptive Practices Laws Applied
The Court specifically found this based on applying the California Unfair Competition Law (UCL) and the California Consumers Legal Remedies Act (CLRA), laws designed to protect consumers against misleading advertising and deceptive acts of suppliers.
Industry Impact?
 
Disclaimer: IPVM does not offer legal advice and recommends consulting one's attorneys.
From a business perspective, it does raise concerns. Many often suppose cyber security risks are only an issue if an actual exploit / hack / attack occurs. This court case, as well as the US FTC's charges against D-Link's IP cameras, are examples of manufacturers or providers facing legal risks and financial penalties for effectively misleading buyers about the security risks the offering has.
One logistically potentially mitigating factor is ADT's sheer size ($3 - $4 billion annual revenue) attracts such lawsuits. Most companies that are smaller may not trigger sufficient buyer / consumer efforts to pursue litigation. Moreover, it is possible that ADT's monthly service charges could increase risk and or financial claims vs hardware manufacturers that sell products for a one-time charge.
Most importantly, this case underscores what a supplier claims (e.g., security strength) and omits (e.g., known security risks) could be used by buyers to sue a supplier even if the buyer has not actually been hacked, but simply claims that they would not have bought a certain offering if the supplier had properly disclosed / fairly marketed their offering. This is the type of risk that suppliers should carefully evaluate.  Read the article on IPVM's website here.
*********************
THE ALARM EXCHANGE

Ken Kirschenbaum,Esq
Kirschenbaum & Kirschenbaum PC
Attorneys at Law
200 Garden City Plaza
Garden City, NY 11530
516 747 6700 x 301
ken@kirschenbaumesq.com
516 747 6700
www.KirschenbaumEsq.com
oovoo account: KenKirschenbaum