September 22, 2021

Volume XI, Number 265


September 21, 2021

Subscribe to Latest Legal News and Analysis

September 20, 2021

Subscribe to Latest Legal News and Analysis

Vehicle Manufacturers Face Cybersecurity Challenges

Over the last several decades, there have been significant advancements in automotive technology. Today’s vehicles are equipped with more and more sophisticated computer systems than ever before. But as our reliance on technology continues to grow, so does the potential for cybersecurity attacks and resulting litigation. That’s why it’s becoming increasingly important for car manufacturers to pay close attention to the legal landscape.

Legal Landscape

One recent case illustrates what’s going on. On March 27, 2020, the U.S. District Court for the Southern District of Illinois dismissed an automotive cybersecurity class action lawsuit, Flynn v. FCA US LLC. In Flynn, the plaintiffs alleged that the Uconnect system that allows integrated control over phone, navigation, and entertainment functions in certain vehicles was vulnerable to hackers seeking to take remote control of those vehicles. Plaintiffs further alleged that “but for [d]efendants’ misrepresentations about the [vulnerabilities of the Uconnect system], they would not have purchased the vehicles or would have paid less for them.”

Some background: The lawsuit was filed following a 2015 Wired magazine news article that demonstrated that the Uconnect system could be hacked in a controlled environment. However, aside from the hack described in the news article, there had been no other reports of hackers remotely accessing or seizing control of the system. In fact, “[p]laintiffs concede[d] that only one hack of the 1.2 million vehicles with the purported defects has occurred, and that one occurrence took place when two highly trained researchers hacked a vehicle in a controlled setting.”

Recognizing that no product is foolproof, the district court held that the fact that a product has vulnerabilities does not make that product defective. Further, the court ruled that plaintiffs’ allegations that their vehicles were worth less than they would be without the alleged Uconnect defects were conclusory and unsupported by any evidence. Plaintiffs did not allege that “their Uconnect systems do not work; that they have experienced any problems related to the Uconnect system; that they are unwilling to drive their vehicles because of the defects in the Uconnect systems; or that they have sold or traded (or attempted to sell or trade) their vehicles at a loss due to the alleged defects in the Uconnect system.” Further, plaintiffs’ damages expert did not establish “a demonstrable effect on the market for [p]laintiffs’ vehicles based on, for example, documented recalls, declining Kelley Bluebook values, or a risk so immediate that they were forced to replace or discontinue using their vehicles, thus incurring out-of-pocket damages.” The court also noted that “a future risk of hacking is too speculative” and that “allegations of economic loss stemming from speculative risk of future harm cannot establish standing.”

The district court’s dismissal was a big win for car manufacturers, but the plaintiffs have since appealed the dismissal. The Seventh Circuit heard oral arguments on October 27, 2020, and has taken the matter under advisement.

Flynn is not the first automotive cybersecurity lawsuit of its kind. For example, in Cahen v. Toyota Motor Corp., which was filed in the U.S. District Court for the Northern District of California in 2015, the plaintiffs claimed that the computer technology in certain vehicles was susceptible to hacking, but did not allege that any of their vehicles were actually hacked. As in Flynn, the district court in Cahen dismissed the case because plaintiffs did not suffer any injury beyond a speculative risk of hacking, and the Ninth Circuit affirmed that decision.

If the outcome of the Flynn appeal is the same as the outcome in Cahen, it will set helpful precedent for car manufacturers in the Seventh Circuit. We will continue to monitor the appellate decision and report any significant developments.


As the legal landscape surrounding automotive cybersecurity continues to develop, car manufacturers may want to consider taking steps to minimize risks of cybersecurity attacks and litigation. In 2016, the National Highway Traffic Safety Administration (NHTSA) published a Cybersecurity Best Practices for Modern Vehicles manual, which contains guidance for improving motor vehicle cybersecurity. Additionally, the Automotive Information Sharing and Analysis Center (Auto-ISAC), an industry-driven community that is aimed at enhancing vehicle cybersecurity capabilities, also published cybersecurity best practices. Although these manuals contain non-binding guidance, they provide guidance to manufacturers and possibly a way to mitigate risk if their technology is eventually hacked.

Vehicle cybersecurity is a dynamic field that is changing rapidly. As vehicles become more reliant on software, manufacturers should continue to monitor the legal landscape and ensure they are taking the appropriate steps to protect themselves from potential liability.

© 2021 Schiff Hardin LLPNational Law Review, Volume XI, Number 19

About this Author

Mariam Chamilova Litigation Attorney Schiff Hardin Chicago, IL

Mariam has assisted with research and writing for a broad range of legal matters in various stages of litigation. She has experience drafting judicial opinions and preparing memoranda for summary judgment motions, motions to dismiss, and administrative review cases.

With a strong background in science, Mariam brings a keen technical eye to her analysis and observations for clients. She believes that having a strong understanding of the intricacies of a client’s business is key in helping clients achieve their goals.


  • Illinois
    Jill Berry, Litigation Attorney, Schiff Hardin, mass tort resolution lawyer, consumer products legal counsel, manufacturing law, trial representation

    Jill Berry represents companies facing product liability and mass tort risk in some of the most dangerous jurisdictions for defendants in the United States.  Jill is skilled at negotiating complex agreements to control risk, and participates in joint defense initiatives that shape mass tort litigation dockets.  

    Jill was a lead member of a team of lawyers that represented The Port Authority of New York and New Jersey in property damage and business loss litigation arising from the collapse of 7 World Trade Center, and in 10,000 lawsuits by first...