As a follow-up to our previous article and webinar, “Are Automakers Making Sufficient Efforts to Protect Customer Data?”, we are addressing the recent 9^th Circuit decision in Jones v. Ford Motor Co. At issue in this matter was whether Ford Motor Co. (“Ford”) violated the Washington Privacy Act (“WPA”) Wash. Rev. Code  9.73.060. Plaintiff Jones owns a Ford automobile that has an integrated infotainment system. Plaintiff Jones exchanged private text messages with Plaintiff McKee before connecting his phone to the Ford infotainment system. Plaintiffs claimed Ford's integrated infotainment system installed on Plaintiff Jones’ Ford automobile unlawfully and without his consent downloaded, copied, and stored call logs and text messages made before Plaintiff Jones connected his cellphone to the infotainment system. Moreover, while the text messages can be deleted from the plaintiffs’ phones, they remain permanently stored on the Ford infotainment system after Plaintiff Jones’ phone is disconnected from the vehicle, and Plaintiff Jones is unable to access or delete personal information once it has been stored. 

The plaintiffs’ claims were not that Ford was accessing their personal data, but that third parties could hypothetically have access to that data contained within the Ford infotainment system without the plaintiffs’ consent. The plaintiffs specifically referenced the Berla Corporation (“Berla”) as a third party that could improperly access these personal communications without their knowledge and consent. Berla manufactures hardware and software that is available only to government entities and private instigators that can extract the stored text messages and call logs stored on the Ford infotainment system. It was this possibility that someone could access their personal information stored on the infotainment system in Plaintiff Jones’ Ford vehicle that was the basis for their WPA claim.

The plaintiffs brought a putative class action against Ford for alleged violations of the WPA. In order to bring a claim pursuant to the WPA, the plaintiff must show “a violation of [the WPA] has injured his or her business, his or her person, or his or her reputation.  A person so injured shall be entitled to actual damages . . . or liquidated damages.” The plaintiffs alleged a mere violation of the WPA is sufficient to show a violation of privacy constitutes an actual injury. However, the 9^th Circuit disagreed. It held that an invasion of privacy without an injury to “his or her business, his or her person, or his or her reputation[]” is insufficient to satisfy the injury requirement of the WPA. On that basis, the 9^th Circuit affirmed the District Court’s granting of Ford’s Motion to Dismiss for failure to state a claim.

This case does not mean Ford’s conduct in having its infotainment systems capture all data from connected phones is a good cybersecurity practice, or even beneficial to their customers. All it means is that Ford’s conduct was not a violation of this specific statute. Generally, even if there was a data breach that resulted from Ford’s infotainment collecting and storing all of this information, courts around the country had dismissed cases where the plaintiff cannot demonstrate an actual concrete injury as a result of the breach. Possible or hypothetical future injuries are not sufficient to maintain such a claim. 

Litigation is expensive, even if you ultimately win. Ford’s collection of all of its customers’ phone data is an example of unnecessary collection of data that opens up Ford to liability. Why does Ford want its infotainment systems to collect and indefinitely store this information? How does Ford use this information? What happens when the initial customer sells that vehicle with all of the customer’s phone data on it that the customer cannot access or delete? Whose data is it then? These are all important questions with few answers. Ford could have experienced considerable liability if the fact pattern was different, or if this case was brought in a different state under a different statutory framework. If someone had improperly utilized technology, like Berla’s technology, to access Plaintiff Jones’ stored phone data, and used that information to harm Plaintiff Jones or Plaintiff McKee in a variety of ways that resulted in an actual injury, this litigation would not have been dismissed and would have continued. Ford was lucky the case brought against it in Washington did not include an actual injury and was dismissed at its initial stages. 

Limiting the data your organization collects limits your risk in the event of a data breach. That is why we advocate for an organization to conduct an annual data audit. A data audit lets you know what data your organization is collecting, why it wants to collect it, how it is going to use it, and when and how it is going to dispose of it when it is no longer needed. Your organization should only hold the data it absolutely needs to complete its stated mission. The annual audit also allows the organization to update its internal privacy policy and external privacy notice that instructs everyone how the organization will use the data it collects. If your organization needs assistance conducting a data audit and developing its privacy policies and privacy notices, please contact a member of Spilman’s Technology Practice Group.