Updates to Chapter 6

Liability for Insecure Products and Software

ARCHIVED UPDATES TO THE FIRST EDITION, INCORPORATED INTO THE SECOND EDITION

6.3 Private Litigation Over Insecure Products or Software

The case against Intel described in the book was finally dismissed in July 2022. Following the March 2020 dismissal, plaintiffs had filed an amended complaint. That cleared the standing hurdle, but in March 2021, the district court dismissed with prejudice claims alleging (1) fraud by concealment or omission; (2) breach of California’s Consumers Legal Remedies Act, Cal. Civ. Code §§ 1750, et seq.; and (3) breach of California’s false advertising law, Cal. Bus. & Prof. Code §§ 17500, et seq. In re Intel Corp. CPU Mktg., Sales Practices & Prods. Liab. Litig., 3:18-md-2828-SI, 2021 U.S. Dist. LEXIS 59634, 2021 WL 1198299 (D. Or. Mar. 29, 2021). In ruling on the fraud by omission theory, the court held that security vulnerabilities are not central to a processor’s function and therefore need not be disclosed. However, the court dismissed but gave plaintiffs leave to amend their nationwide claim under California’s Unfair Competition Law (UCL), Cal. Bus. & Prof. Code §§ 17200, et seq., alleging unfair conduct; their nationwide claim for unjust enrichment; and their state subclass claims asserted under the deceptive or unfair trade practices acts or consumer protection laws of multiple states.

Then in January 2022, reviewing the second amended complaint, the court dismissed with prejudice all claims except those of plaintiffs who had purchased or leased products with Intel processors on or after September 1, 2017. For those plaintiffs, the court allow the UCL, unjust enrichment, and state subclass claims to survive. In re Intel Corp. CPU Mktg., Sales Practices & Prods. Liab. Litig., 3:18-md-2828-SI, 2022 U.S. Dist. LEXIS 15396, 2022 WL 225304 (D. Or. Jan. 26, 2022). September 1, 2017 was significant because it was the date that was 90 days after Intel learned of the first exploit of certain vulnerabilities in its chip. The court understood the plaintiffs to be arguing that 90 days is the normal embargo period for an exploit. The court allowed the case to continue based on allegations that, after learning about the exploits (and having 90 days to assess them), Intel manipulated the embargo period to a longer time than the normal 90 days, advertised the performance and security of products knowing they were uniquely defective and would require extensive mitigation that would affect performance, and continued to charge a premium price for the chips.

In July 2022, the court granted Intel’s motion for reconsideration of that ruling and dismissed all claims, finally ending the case. 2022 U.S. Dist. LEXIS 120362 (D. Or. July 7, 2022). The court said that it had been mistaken as to the plaintiff’s theory. For some reason, upon reconsideration, plaintiffs clarified that their claims were not based on any alleged unreasonable delay of an embargo period. Instead, the court said, plaintiffs were simply alleging that Intel sold product during a normal and reasonable embargo with “asymmetrical information” (i.e., Intel knew the product was insecure, buyers did not). But that, the court said, “describes the situation during every embargoed security vulnerability—the manufacturer will always know more about any security vulnerability than consumers during an information embargo. That is insufficient to state a claim for unfair conduct under the UCL.” Perhaps an unnecessary prolongation of the the embargo period to delay the release of information about the flaw while still selling product that buyers assumed was secure would have been fraud, but that, the court found, was not what plaintiffs alleged. Also, the court made it clear that its earlier opinion, in using 90 days as the normal embargo period for a flaw, “was not intending to declare or establish any specific default embargo period, let alone one that would apply under all circumstances.” 

This outcome may be relevant to—indeed, may give a further boost to—the practice of coordinated vulnerability disclosure, which is the practice, and now well nigh requirement, that hardware and software developers have a process for accepting and responding to third-party reports of vulnerabilities in their products. Many such programs are structured such that the researcher who discovers the vulnerability must agree to be quiet about it while the company is developing a patch. The final Intel opinion says that it is OK, in fact inevitable, that the company will continue to market and profit from the flawed product during the embargo period.

A similar case against Apple has also faced rough seas, but remains afloat as of June 2022. In re: Apple Processor Litigation, 5:18-cv-00147, 2022 U.S. Dist. LEXIS 102533 (N.D. Ca. June 8, 2022). The district court found that plaintiffs had failed to state a claim for fraud under an affirmative misrepresentation theory because they were unable to identify any statement from Apple that was both sufficiently specific to be actionable and was false when made. Apple’s statements that iPhones are “secure” and built “with your privacy in mind” “do not speak to any specific or absolute characteristics about the iPhones’ security and are the type of statements that many courts have held to be non-actionable puffery.” The court likewise rejected an omissions-based theory of fraud, because the allegedly concealed defect was not central to the product’s function. (The district court relied on Hodsdon v. Mars, Inc., 891 F.3d 857, 861 (9th Cir. 2018), for the proposition that manufacturers have. duty to disclose only physical defects that are “central to the product’s function.”) While security vulnerabilities are central defects for network security products, Beyer v. Symantec Corp., 333 F. Supp. 3d 966, 980 (N.D. Cal. 2018), the court agreed with the Oregon district court ruling (in the Intel case described above) that security vulnerabilities are not central to a processor’s function. The court found deficiencies with the plaintiffs’ unjust enrichment claim and granted Apple’s motion to dismiss but also gave leave to amend. The court also dismissed a claim under the California UCL, but again with leave to amend.

Note: None of the rulings in the Intel or Apple cases has suggested that a company is legally obligated to design secure products (however one might define “secure”).

In July 2022, the Seventh Circuit affirmed dismissal for lack of standing of the Jeep case described in the book: “When litigation moves beyond the pleading stage and Article III standing is challenged as a factual matter, a plaintiff can no longer rely on mere allegations of injury; he must provide evidence of a legally cognizable injury in fact. The plaintiffs did not do so here.” Flynn v. FCA US LLC, 2022 U.S. App. LEXIS 19448, 2022 WL 2751660 (7th Cir. July 14, 2022).

Section 230 of the Communications Act, 47 U.S.C. § 230, protects app stores against liability for hosting apps that turn out to facilitate hacking. Diep v. Apple, 4:21-cv-10063, 2022 U.S. Dist. LEXIS 159138 (N.D. Cal. Sept. 2, 2022).

6.4 Legislative or Regulatory Standards for Products or Software

On May 12, 2021, President Biden issued Executive Order 14028, Improving the Nation’s Cybersecurity, 86 Fed. Reg. 26633 (May 17, 2021). The EO is aimed mainly at improving the security of government systems, see Chapter 9.2.11, but it also directs the Secretary of Commerce to work through the Director of NIST to initiate a pilot program informed by existing consumer product labeling programs to educate the public on the security capabilities of Internet-of-Things (IoT) devices and consider ways to incentivize manufacturers and developers to participate in the program. In developing the consumer labeling program pilot, the Secretary, through the Director of NIST, in coordination with the Chair of the Federal Trade Commission, shall identify IoT cybersecurity criteria. In addition, the Secretary of Commerce acting through the Director of NIST shall publish guidelines recommending minimum standards for vendors’ testing of their software source code, including identifying recommended types of manual or automated testing (such as code review tools, static and dynamic analysis, software composition tools, and penetration testing).


Last updated: Sept. 6, 2022.

Photo: “The Allegory of Good Government," by Ambrogio Lorenzetti, 1338, Museo Civico, Siena, (c) Erik Törner, CC BY-NC-SA 2.0.