No Hack, Still Liable, Court Finds ADT

By: IPVM Team, Published on Jun 20, 2017

Recently, ADT has been in the news for a $16 million settlement for a cyber security vulnerability class action suit.

One of the most important and interesting points behind this settlement is a court order that found ADT could be found liable even if no actual hacks were proven. Many could see this as counterintuitive since what 'damage' had occurred if there was no hack / incident?

In this note, we examine that court order, how the Court reached that conclusion and what impact it might have on manufacturers and providers generally.

********,*** *** **** ** the **** *** * $16 ******* ************* * ***** ******** vulnerability ***** ****** ****.

*** ** *** **** important *** *********** ****** behind **** ********** ** a ***** ***** **** found *** ***** ** found ****** **** ** no ****** ***** **** proven. **** ***** *** this ** **************** ***** what '******' *** ******** if ***** *** ** hack / ********?

** **** ****, ** examine **** ***** *****, how *** ***** ******* that ********** *** **** impact ** ***** **** on ************* *** ********* generally.

[***************]

Executive *******

* ** ********** ******* *********** ** *** found**** *** *** ******* disclosing *** ************* ******* it ****** ** ********** to ** **:

*** ***** ********* **** Plaintiff ************ ******* **** ADT **** *** * duty ** ******** ******* ADT *** ********* ********* of ******** ***** ******* to *********.

*** ********* / **** still ******, **** ******* an ****** ****, ***** the ***** ********* **** the ******** (*** ****) should **** ********* *** vulnerability *** *** *** sufficiently ** **.

Industry *********

*** ********** ***** ********** calls *** **** *** industry **** ***** ***** risks:

*** ************ ***** ** Plaintiff ** *** *** suggest **** *** ******** to ***** *** ******* knew ** *** ************* of ******** ******* **** before ********* ********** **** ADT.

Consumers *** ******** ** ****

** *** **** ****, the ********** ***** ***** that ********* ***** *** be ******** ** **** of ***** *****:

**** ********* *** ************ pleaded ******** ********* *** noting **** "[*]**** *********** customers ***** **** **** tipped *** ** *** possibility ** [* ******], many ********* ***** *** have ********* **** * search, *** ***** **** be ******** **").

Rejects **** ** *******

*** ********* ** *********** no ***** ** ****** hackings *** *** ***** rejected ****, ******* **** a ******** ***** *** have ****** *** ******** if **** ****:

* ****** **** *** be ********* ** ** material. ** ** ********* plausible **** * ********** consumer ***** ****** ********** to *** **** **** their **** ******** ****** could ** ****** ** hacked *** ********, **** absent ****** ********* ** such *******.

General ********** ******** ************

*** ***** ******** *** applying ***** ******* ********* language, **** **:

"*** *** *** ******* alarm ******* ** ************** or ***** ** *********** for *** ******" *** "no ***** ****** *** provide ******** ********** ** guarantee ********** ** **** or ******."

******* ** *********, *** Court ***** ** *** not ***** *** ******** risk:

**** ******** ** *** a ********** ** *** allegedly ******* ****, ****** that ***'* ******** ******* are ********** ** *******, jamming, *** ***** **********.

Misleading *********** / ********* ********* **** *******

*** ***** ************ ***** this ***** ** ******** the********** ****** *********** *** (UCL)*** ************* ********* ***** ******** Act (****), **** ******** ** protect ********* ******* ********** advertising *** ********* **** of *********.

Industry ******?

**********: **** **** *** offer ***** ****** *** recommends ********** ***'* *********.

**** * ******** ***********, it **** ***** ********. Many ***** ******* ***** security ***** *** **** an ***** ** ** actual ******* / **** / ****** ******. **** court ****, ** **** as *** *****'* ******* ******* *-****'* IP *******, *** ******** ** manufacturers ** ********* ****** legal ***** *** ********* penalties *** *********** ********** buyers ***** *** ******** risks *** ******** ***.

*** ************ *********** ********** factor ** ***'* ***** size ($* - $* billion ****** *******) ******** such ********. **** ********* that *** ******* *** not ******* ********** ***** / ******** ******* ** pursue **********. ********, ** is ******** **** ***'* monthly ******* ******* ***** increase **** *** ** financial ****** ** ******** manufacturers **** **** ******** for * ***-**** ******.

**** ***********, **** **** underscores **** * ******** claims (*.*., ******** ********) and ***** (*.*., ***** security *****) ***** ** used ** ****** ** sue * ******** **** if *** ***** *** not ******** **** ******, but ****** ****** **** they ***** *** **** bought * ******* ******** if *** ******** *** properly ********* / ****** marketed ***** ********. **** is *** **** ** risk **** ********* ****** carefully ********.

Comments (19)

Undisclosed Distributor #1

06/20/17 03:29pm

It's a very interesting read, but my interpretation is that any device that can ever, under any circumstances, be connected to the Internet must have a disclosure that it can be hacked. This includes every PC ever built, routers/firewall, any "smart" product or IoT device, etc. Back in the military they had a security rating for devices that a company providing computers was proud to claim, but they also noted that this security rating was immediately invalid if the computer was plugged into a network.

John Honovich

IPVM | In reply to Undisclosed Distributor #1 | 06/20/17 03:47pm

my interpretation is that any device that can ever, under any circumstances, be connected to the Internet must have a disclosure that it can be hacked

My interpretation (based on "The Court rejected ADT applying their general exclusion language") was that if something specific is known (e.g., unencrypted wireless), it needs to be specifically disclosed, not simply a generic 'anything can be hacked' statement.

Edgar Mora

06/20/17 04:04pm

I see this as an unforgiveable omision in ADT sales strategy. When I used to sell monitoring services in my country (Costa Rica) we stated clearly in contract - that had to be signed by cliente- that our burglar alarm system and monitoring service was not an insurance policy. We offered service as a way to lower probability of an intrusion and left clear probability of such undesirable event was never zero.

John Honovich

IPVM | In reply to Edgar Mora | 06/20/17 04:07pm

that had to be signed by cliente- that our burglar alarm system and monitoring service was not an insurance policy.

Edgar, in this case, my understanding is that such a disclosure / exclusion would not have made a difference, since neither ADT nor the plantiff allege that the system was an insurance policy.

I do not know what the consumer deceptive advertising laws are in Costa Rica, but in the USA, there are a fair number of such laws and those are the laws that are causing / driving this issue.

Jeremy Ellis

06/20/17 04:22pm

This is huge. The industry has relied on that contract language as an ultimate get out of jail free card for years.

Undisclosed Manufacturer #2

06/21/17 02:18pm

It will be interesting to what the trickle down will be as a result of this ruling.

With IoT becoming a focus in the PhySec space, the increase in liability for manufactures and integrators will only increase. There has always been tension in the retail market, with considerations for PCI compliance in the past, however, this could set a precedent that will affect many other systems connecting to the internet in virtually every vertical.

One of the big questions I have is, "who is really responsible?"

- The manufacture (ADT being both in this case)

- The Integrator

- IT departments

- End-user... etc.

As we become an increasingly connected society, the questions and challenges in front of us increase.

I do not want to re-hash the recent issues of manufactures vulnerabilities, however I would argue that all manufactures and integrators need to get a solid handle on how to respond to these issues, not just from a technical perspective, but also from a liability standpoint.

Nick Giannakis

06/21/17 03:02pm

I asked this exact question to a discussion panel at SSN's TechSecSolutions conference earlier this year. The panel was an impressive collection of industry veterans and their response was a consensus that the responsibility is shared.

Undisclosed Distributor #1

In reply to Nick Giannakis | 06/21/17 03:59pm

"Shared" implying that each of them can blame the others when it hits the fan and no one takes responsibility. Almost as good as having that weatherman job.

Luis Carmona

IPVMU Certified | 06/24/17 02:39pm

ADT countered by emphasizing no proof of actual hackings but the court rejected that, arguing that a consumer might not have bought the offering if they knew:

That's going to have an interesting effect on the bean counters who measure cost of liability versus cost of eliminating the problem. The common theme being "If we only expect $1M in lawsuits, but fixing the problem costs $1.5M, best to just leave the problem alone". I think this is a curve ball to the way things normally go in this area, and that the justice system may be trying to curve that kind of thinking.

Mick Brown

06/29/17 11:03am

its about time the industry takes these matters seriously

someone should take a class action suit against hikvision and dahua

their products are too easily hackable

Mick Brown

06/29/17 12:03pm

Britain may go to war with foreign states attempting cyber attack on UK, Defence Secretary warns

Mick Brown

06/29/17 01:29pm

every business has a duty of care the security industry has been putting money first

hik and dahua are at fault here too

they know their products are floored

Robert Baxter

06/29/17 05:24pm

I looked at a copy of the Kirchenbaum contract, which the relevant section is reproduced below:

WIRELESS AND INTERNET ACCESS CAPABILITIES: Subscriber is responsible for supplying high speed Internet access and or wireless services at Subscriber's premises. RADIUS does not provide Internet service, maintain Internet connection, wireless access or communication pathways, computer, smart phone, electric current connection or supply, or in all cases the remote video server. In consideration of Subscriber making its monthly payments for remote access to the system RADIUS will authorize Subscriber access. RADIUS is not responsible for Subscriber's access to the Internet or any interruption of service or down time of remote access caused by loss of Internet service, radio or cellular or any other mode of communication used by Subscriber to access the system. Subscriber acknowledges that Subscriber's security system can be compromised if the codes or devices used for access are lost or accessed by others and RADIUS shall have no liability for such third party unauthorized access. RADIUS is not responsible for the security or privacy of any wireless network system or router. Wireless systems can be accessed by others, and it is the Subscriber's responsibility to secure access to the system with pass codes and lock out codes. RADIUS is not responsible for access to wireless networks or devices that may not be supported by communication carriers and upgrades to subscriber system will be at subscriber's expense.

In many cases providing managed video services we are providing the internet service, or the wireless service or connecting to the internet thru the customers equipment. I think these contracts need to address the different situations.

John Honovich

IPVM | In reply to Robert Baxter | 06/29/17 07:17pm

Robert,

Thanks for sharing. I am not sure that the section you shared is germane to this issue, i.e.:

Subscriber is responsible for supplying high speed Internet access and or wireless services at Subscriber's premises....

RADIUS is not responsible for the security or privacy of any wireless network system or router. Wireless systems can be accessed by others, and it is the Subscriber's responsibility to secure access to the system with pass codes and lock out codes. [IPVM highlighted]

The way I read this is that it is a disclaimer about the user's own wireless network, not the wireless communications inherent / part of the alarm system. In the ADT case, they are saying that the ADT system's own wireless was insecure, not the homeowner's wireless network.

Agree/disagree? Am I missing something?

Related, I asked Kirschenbaum about this and he said he was planning a newsletter about this topic.

Robert Baxter

In reply to John Honovich | 06/29/17 07:58pm

I was raising a related issue. What I was trying to get at is that the contract agreements used by ADT and Kirchenbaum contracts are making assumptions about how internet or wifi is provided as described in the above clause 9. To IPVM users who are using more internet connectivity than the alarm industry, likely may be using similar worded contracts. I see that managed video service providers (like IPVM users) are even more exposed to hacking than the alarm industry and probably don't have contracts to cover the range of liability exposure they face:

1. A customer site is hacked and the camera provider is blamed for the breach, even though it is caused by the customers own equipment, employees, practices,...

2. Lack of 2 level authentication, no encryption leading to a customer site being hacked.

3. Passcodes shared by former employees to 3rd parties.

You can probably add to the list.

Contracts for our industry need to include wording that the big boys (Google, Apple, Microsoft) are using.

John Honovich

IPVM | In reply to Robert Baxter | 06/29/17 08:11pm

A customer site is hacked and the camera provider is blamed for the breach, even though it is caused by the customers own equipment, employees, practices,...

Ok, but to be clear, the ADT / Edenborough case is not about a hack occurring at all, ergo the title of this post - 'No Hack, Still Liable'.

I am not contesting the clauses you reference. I am emphasizing that those clauses are not enough to handle the case of this post, because this is about false / misleading advertising, not damage from a hack.

David Fogle, CSEIP

In reply to John Honovich | 07/05/17 02:34pm

The issue at hand is the hacking of wireless alarm systems and the potential that someone could hack into the ADT burglar alarm via wireless transmitters and or keypads and manipulate the status of the alarm system to either cause an alarm to create a response or disable the device by some sort of jamming.

While in the absence of any case where it has been done successfully should be a mitigating point, but for some reason in California is was not.

Example: I sell you a house that has used a significant amount of fire resistant products to protect against fire does not mean your house will not burn down.

I could build the house out of all concrete and that still does not mean everything in the house will not burn and still result in a loss.

Absolute is a very tough standard to measure against.

Ari Erenthal

In reply to David Fogle, CSEIP | 07/05/17 03:19pm

Example: I sell you a house that has used a significant amount of fire resistant products to protect against fire does not mean your house will not burn down.

If you sell fire resistant products that the manufacturer warned you a couple years back are flawed in some way, the consumer might be able to sue you even if their house didn't burn down. And your attorney might advise you to settle, too. That's more analogous to what happened here.

Mick Brown

07/05/17 03:36pm

i dont know how hik and dahua get away with it

theirs has inherent problems and no one cares

Login to read this IPVM report.

Why do I need to log in?

IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Hikvision and numerous China importers are avoiding 25% tariffs by including an SD card slot in their IP cameras to claim they are 'digital still...

Directory of 30+ VSaaS / Cloud Video Surveillance Providers on Jun 07, 2019

This directory provides a list of VSaaS / cloud video surveillance providers to help you see and research what options are available. 2019 State...

Nortek and SDS Fight Over Failed Settlement on Jun 05, 2019

Distributor SDS said they reached a deal with Nortek but Nortek says no settlement was reached and the suit is still on. In this post, based on...

China / US Trade War Impact Splits Industry on Jun 04, 2019

As the trade war continues to heat up, 170+ integrators told us "What impact will the US / PRC China conflict have on the industry?" Respondents...

NJ Law Requires Apprenticeship For Public Works Integrators on May 24, 2019

Few integrators do a formal apprenticeship program. However, now a NJ law is requiring any integrator on public works projects (such as state...

Security / Privacy Journalist Sam Pfeifle Interview on May 24, 2019

Sam Pfeifle is best known as the outspoken former Editor of Security Systems News. After that, he was publications director at the International...

LifeSafety Power NetLink Vulnerabilities And Problematic Response on May 20, 2019

'Power supplies' are not devices that many think about when considering vulnerabilities but as more and more devices go 'online', the risks for...

ADT's Top Dealer "The Defenders" Sued 20+ Times on May 07, 2019

ADT's largest authorized dealer, The Defenders, has been sued more than 20 times since 2012, IPVM has verified through analyzing legal...

Dahua and Hikvision Products Illegally Sold To US Government GSA on May 06, 2019

Dahua and Hikvision products are being widely and illegally sold to the US government GSA. The sellers are falsely claiming these China products to...

Register for the Fall 2019 IP Networking Course. For early registration save $50 off the course's normal $299 price. This is the only networking...

Most Recent Industry Reports

Repositionable Multi-Imager Camera Shootout - Avigilon, Axis, Dahua, Hanwha, Hikvision, Panasonic, Vivotek on Jun 19, 2019

Repositionable multi-imager cameras are one of the fastest growing segments in video surveillance, with a slew of new offerings being recently...

Genetec Synergis Cloud Link - Complex, Costly and Confusing on Jun 18, 2019

Genetec's Synergis Cloud Link is complex, costly and confusing compared to competitor access control architectures. Inside this note, we examine...

Startup Vaion Launching End-to-End AI Solution Backed with $20 Million Funding on Jun 17, 2019

An EU / USA video surveillance startup, Vaion, founded by ex-Cisco Senior Directors is launching an end-to-end VSaaS platform with $20 million in...

Biometrics Usage Statistics 2019 on Jun 17, 2019

While face and fingerprint recognition are used regularly for smartphones, it is not as common in physical security. In this note, we examine...

The Scheme Hikvision and China Importers Use To Avoid Tariffs on Jun 17, 2019

Hikvision and numerous China importers are avoiding 25% tariffs by including an SD card slot in their IP cameras to claim they are 'digital still...

Sighthound Transforms Into Enterprise AI Provider Profile on Jun 14, 2019

Sighthound is now rapidly expanding its R&D team, building an enterprise AI service. This may come as a surprise given their origins 6 years...

ADT Eliminating Acquired Brands, Unifying Under 'Commercial' Brand on Jun 14, 2019

ADT is eliminating the brands of the many integrators it has acquired over the past few years, including Red Hawk, Aronson Security Group (ASG),...

NSA Director Keynoting Dahua and Hikvision Sponsored Cybersecurity Conference [Canceled] on Jun 13, 2019

The technical director for the NSA’s Cybersecurity Threat Operations Center will be keynoting a physical security cybersecurity conference that is...

Farpointe Data Conekt Mobile Access Reader Tested on Jun 13, 2019

California based Farpointe Data has been a significant OEM supplier of conventional access readers for years to companies including DMP, RS2, DSX,...

Embattled $400 Million China Funded Philippines Surveillance System Proceeds on Jun 13, 2019

An embattled 12,000 camera surveillance system project that will cost ~$400 million will proceed. The project contract was awarded, had its...

No Hack, Still Liable, Court Finds ADT

Comments (19)

Undisclosed Distributor #1

John Honovich

Edgar Mora

John Honovich

Jeremy Ellis

Undisclosed Manufacturer #2

Nick Giannakis

Undisclosed Distributor #1

Luis Carmona

Mick Brown

Mick Brown

Mick Brown

Robert Baxter

John Honovich

Robert Baxter

John Honovich

David Fogle, CSEIP

Ari Erenthal

Mick Brown

Login to read this IPVM report.

Related Reports

Most Recent Industry Reports

Member Login