Onity Wins: Hotels That Bought Their Easily-Hacked Door Lock Can't Sue According To Court
from the locked-in dept
A class action's worth of hotels weren't satisfied with paying twice for the same product just to make it work, so they filed a lawsuit. That filing was recently rejected by a judge using some awfully strange logic.
The court’s decision turns on three key facts. First, the plaintiffs didn’t allege any actual security breaches; the courts says they are suing “only for the costs of preventing future unauthorized access.” Second, each lock still works in the sense that it “still performs the functions of locking the door upon closing it and unlocking it upon insertion of a properly-coded key card….the locks do not begin to fail on their own upon installation, nor are they all ‘doomed to fail’ eventually.” Third, the court says any future security breaches “could occur only if third parties engaged in criminal conduct to enter Plaintiffs’ hotel rooms.”Let's deal with these in order. Onity's lock has a gaping security hole that's laughably easy to exploit. For anyone with fifty dollars in their pockets, the lock might as well not be there at all. The very nature of the condition of the product is a breach and, in any case, at least is easily understandable as a product that doesn't perform its basic functions, which is what makes the second claim by the judge so galling. Deciding the lock "works" by the most childish evaluation possible is insane. The lock either performs to industry standards or it doesn't, and this one doesn't. As for the argument that a cheap lockpick can also defeat a hardware lock, there is an important difference here, I think. A hardware lock is limited in terms of a fix by its very nature, whereas Onity is proclaiming that an electronic fix does exist for its electronic lock, it only wants hotels to pay for the pleasure of having their product work properly.
As for that last claim: in what sort of insane world do we live in when a manufacturer that makes a product designed to prohibit illegal behavior can get out of paying to repair its product that doesn't stop illegal behavior because the behavior its product isn't stopping is illegal? An alarm system that fails to alarm when criminals break into a building isn't protected by the fact that the break-in is illegal.
The whole ruling appears to be a case of an ill-informed judge, one that may have unfortunate consequences in other areas of the law.
The court instead analogized Onity’s situation to data breach cases like Reilly v. Ceredian, where consumers’ personal data is stolen but consumers can’t show directly attributable adverse consequence from this theft. I understood the analogy: just like consumers might fear future harm from identity theft, hotels might fear harm from future breaches of their locks. However, this analogy doesn’t work very well. While there aren’t many actions consumers can take to proactively protect their data after a data security breach (even credit monitoring isn’t particularly useful), everyone benefits if the hotels proactively remediate this problem.Thankfully the ruling is being appealed, so hopefully a future court will get this corrected, but keep in mind that all this is the result of a lock company that makes locks that do not lock if someone comes along with fifty dollars worth of low-end technology. Happy traveling, readers....
This ruling could help defendants in future privacy violation cases. First, if lock buyers lack standing when a physical object fails to perform its basic function, plaintiffs with more abstract data-related risks shouldn’t either. Second, if the risk of future third party criminal behavior doesn’t count as an injury, data breach victims’ purported concerns about future data misuse (like identity theft) are also irrelevant.