A recent motion for preliminary approval of a class action settlement filed in federal court in Georgia will bring to a close claims asserted on behalf of a class of Porsche owners for a purportedly botched over-the-air (“OTA”) software update sent to their vehicles. But a recent decision by a California federal court suggests that manufacturers may be able to avoid claims for violation of the Computer Fraud and Abuse Act (“CFAA”) so long as they do not “blatantly misdescribe” the OTA updates they transmit to vehicle owners. Taken together, these cases signal the challenges automakers will face in defending software malfunction cases and the benefits of robust disclosure when transmitting OTA software updates.
Proposed Settlement in Bowen
In Bowen v. Porsche Cars, N.A., Inc., filed in the U.S. District Court for the Northern District of Georgia in January 2021, the owner of a 2011 Porsche vehicle filed suit based on a claim that a signal transmitted by Sirius XM Radio and “facilitated” by Porsche during a 2020 Memorial Day weekend promotional campaign caused a serious malfunction in the “infotainment” system of his vehicle. According to the complaint, an OTA software update to the Porsche Communications Management (“PCM”) unit in the vehicle caused the PCM to “continuously reboot,” causing a range of problems including malfunction of the system and draining the vehicle’s battery.
In a September 2021 order, the court granted Porsche’s motion to dismiss claims for negligence and unjust enrichment, but found that Porsche must answer the vehicle owner’s claims for violation of the CFAA and trespass to personality. The court found that “[t]he intent element under the CFAA requires merely that access to a computer system not be a careless or inadvertent mistake,” so that “either directly sending or facilitating the transmittal” of OTA updates could trigger liability.
The unopposed motion for preliminary approval, filed by plaintiff vehicle owners in the Bowen case in January 2023, calls for the certification of a class of “entities and individuals in the United States who, as of May 20, 2020, owned or leased . . . any Porsche vehicle equipped with an XM radio antenna and PCM 3.1 which is the sole PCM model to have been impacted by the rebooting at issue).” The proposed settlement requires Porsche to fund up to $7,500 in repairs per affected vehicle; provide compensation for class members who have already paid out-of-pocket for repairs; and give owners who have not yet been able to obtain satisfactory repairs the ability to do so for up to a year after approval of the settlement. Porsche also agreed to pay up to $1,975,000 in attorneys’ fees and another $75,000 in costs. In their motion for preliminary approval, the plaintiff vehicle owners argued that “this relief approaches—and in some ways may exceed—the level of compensation that realistically may have been obtainable after a successful trial.”
Other OEM Has More Success on Motion to Dismiss
Another major auto manufacturer recently faced a CFAA lawsuit based on faulty OTA software updates, but succeeded in disposing of the case on a motion to dismiss. In that case, a putative class action filed in the U.S. District Court for the Central District of California in January 2021, the plaintiff vehicle owners claimed that the manufacturer had manipulated their vehicle batteries through unauthorized software updates that resulted in diminished battery capacity in violation of the CFAA, as well as breach of warranty in violation of the federal Magnuson-Moss Warranty Act and California’s Song-Beverly Act.
In a May 12, 2022 order granting the manufacturer’s motion to dismiss, the court rejected the CFAA claim on several grounds. See Fish, 2022 WL 1552137 (C.D. Cal. May 12, 2022). First, the court held the vehicle owners failed to plead the requisite $5,000 in damages within the “narrow conception of loss” under the CFAA, which confines losses to the reasonable costs to restore a system to its condition prior to the offense. But the vehicle owners had alleged only that the manufacturers OTA update had purportedly diminished the value of the battery system, not that they actually incurred any costs in attempting to repair the alleged damage.
Second, the court addressed the meaning of “unauthorized access” in the context of the CFAA, and explained that the concept of exceeding authorized access “does not apply to individuals with improper motives who simply utilize access that is ‘otherwise available to them.’” Because the manufacturer had unfettered access to the vehicle owners’ media control units and batteries, “the fact that [the manufacturer] allegedly damaged these systems without [the owners’] consent is irrelevant.” The court left room for claims under the CFAA where a manufacturer is alleged to have “blatantly misdescribed the nature of the . . . updates,” but noted that the plaintiff vehicle owners in that case had failed to do so.
Both Bowen and Fish effectively were resolved at the pleading stage on motions to dismiss. In Bowen, the manufacturer settled after an unsuccessful loss on a motion to dismiss, presumably due to the cost of defense and risk of loss given the potential size of the putative class. But the Fish case suggests that manufacturers may be able to score early victories and avoid liability through robust disclosure to vehicle owners concerning OTA software updates prior to installation of those updates.