In Edenborough v. ADT, the United States District Court for the Northern District of California sustained fraudulent omission claims against ADT relating to cybersecurity flaws in ADT’s consumer devices—even without allegations that the devices had been hacked. The court found that the plaintiff stated a claim under California state consumer protection laws simply by alleging that (1) ADT knew that its home security devices could be hacked and (2) ADT failed to disclose that possibility to buyers.
Edenborough combines two familiar principles, but to dramatic effect. First, the court recognized that cybersecurity flaws can amount to consumer misrepresentations if they aren’t disclosed. That principal is old hat, and has been the basis for many a lawsuit and regulatory action. Second, the Court permitted the suit to continue despite the fact that the alleged harm was only hypothetical. That, too, has at least some precedent: The Seventh Circuit in Remijas v. Neiman Marcus also held that cybersecurity suits could be brought even if consumers haven’t yet experienced any real harm. But those cases differ from the present one in an important way: There was at least a hack! The theory of this case seems to be that the mere misrepresentation about cybersecurity is enough to produce liability—no harm required, no hack required. The Court quickly disposed of ADT’s argument that Edenborough only faced a hypothetical risk of harm. Unsurprisingly, the Court found that vulnerabilities in a home security system are material to decisions about buying the system. Because the omission was material, actual reliance --- the path to liability --- could be inferred. The Court even held that Edenborough “need not specify in detail the exact methods of hacking to which ADT knew its devices were vulnerable.” He only needed to “generally allege” that ADT knew, and didn’t disclose, “that its devices were unencrypted and vulnerable to hacking.” There’s a bit of FTC precedent for this, but not a whole lot in the civil realm.
The question is how far this principle extends. Does it mean that any security flaw, whether exploited or not, gives rise to liability? Maybe not. This was a case about the sale of devices—and security devices, to boot. The cybersecurity flaws cut to the heart of what ADT was selling. So perhaps it’s easier to say that consumers were harmed because they bought devices without knowing their shortcomings. Plaintiffs will have a harder case in the more routine situation where a company stores consumer (or employee) data behind imperfect computer systems. Whether or not future courts draw this distinction, and thereby limit Edenborough’s effect, will be of critical importance.