Lock Manufacturer Onity Had Only One Job, But Isn’t Liable For Failing To Do It Well (Forbes Cross-Post)

Let’s start with two non-controversial propositions: (1) no lock offers perfect security, and (2) any lock that can be defeated by a “stupidly simple” method is functionally worthless. But can a buyer of a functionally worthless lock recover in court? A federal court recently reached a surprising answer to that question.

Onity manufactures hotel locks. The plaintiffs seek to form a class action for hotels that bought two of Onity’s locks. At a security conference in 2012, security researchers demonstrated how the locks could be breached using a “stupidly simple” method. Naturally, this presentation caused some consternation among Onity’s hotel customers. Onity offered “a temporary mechanical cap” to block the attack, or hotels could buy a replacement circuit board. I understand why hotels weren’t thrilled with the latter option, but the opinion doesn’t explain why the hotels rejected the temporary cap. The opinion also doesn’t explain why Onity didn’t offer to repair or replace the locks at its expense, even though the in-the-field failure of Onity’s locks–and Onity’s limp response–posed potentially fatal consequences to its business (think about the “You had one job” meme as applied to lock manufacturers). Andy Greenberg provides more details about Onity’s feet-dragging response; and his follow-up article indicates that bad folks were still taking advantage of the security flaw months after the public disclosure.

The hotels sued Onity for various warranty- and contract-related claims. The court grants Onity’s motion to dismiss on procedural grounds, saying the plaintiffs hadn’t been injured enough to have the right to sue.

The court’s decision turns on three key facts. First, the plaintiffs didn’t allege any actual security breaches; the courts says they are suing “only for the costs of preventing future unauthorized access.” Second, each lock still works in the sense that it “still performs the functions of locking the door upon closing it and unlocking it upon insertion of a properly-coded key card….the locks do not begin to fail on their own upon installation, nor are they all ‘doomed to fail’ eventually.” Third, the court says any future security breaches “could occur only if third parties engaged in criminal conduct to enter Plaintiffs’ hotel rooms.”

Repeatedly citing the recent Supreme Court ruling in Clapper requiring that plaintiffs show an “impending” injury, the court concludes that the hotels haven’t (yet?) suffered a legally cognizable injury sufficient to give them standing in court. However, this result was a little tone-deaf. It’s completely reasonable to anticipate hotels will fix the Onity locks once an easy bypass is publicly known. Failure to do so exposes the hotels to reputation losses if the locks are defeated; and I imagine the plaintiffs’ bar will take extra interest in any hotel that didn’t address the locks and had hotel guests suffer personal injury or property damage as a result. So, in practice, the locks became functionally worthless to the hotels after the announcement.

The court instead analogized Onity’s situation to data breach cases like Reilly v. Ceredian, where consumers’ personal data is stolen but consumers can’t show directly attributable adverse consequence from this theft. I understood the analogy: just like consumers might fear future harm from identity theft, hotels might fear harm from future breaches of their locks. However, this analogy doesn’t work very well. While there aren’t many actions consumers can take to proactively protect their data after a data security breach (even credit monitoring isn’t particularly useful), everyone benefits if the hotels proactively remediate this problem.

This ruling could help defendants in future privacy violation cases. First, if lock buyers lack standing when a physical object fails to perform its basic function, plaintiffs with more abstract data-related risks shouldn’t either. Second, if the risk of future third party criminal behavior doesn’t count as an injury, data breach victims’ purported concerns about future data misuse (like identity theft) are also irrelevant.

[UPDATE: A reader said to me: “The ‘intervening illegal act’ barrier to standing makes a lot less sense in the context of a device intended to prevent illegal conduct.”]

[UPDATE 2: Plaintiffs’ counsel informed me that they’ve appealed the ruling.]

Case citation: U.S. Hotel and Resort Management, Inc. v. Onity, Inc., 2014 WL 3748639 (D. Minn. July 30, 2014).