On Wednesday, a Ring LLC purchaser and accountholder filed a class-action complaint over the company’s purported persisting cybersecurity vulnerabilities in an effort to address their “egregious failure to provide the safety and security it ostensibly promises its customers and to respect the most fundamental of its customers’ autonomy and privacy rights – the right to privacy in one’s home – and the very principles upon which the company was purportedly built.”
According to the Central District of California complaint, Ring “markets and sells home security remote-access cameras and appurtenant software” which are intended to be used in and around the home. However, the plaintiff alleged that while Ring promised to give customers “peace of mind” and put “security first,” its devices “expose the most intimate areas of customers’ homes – and consequently the most private aspects of customers’ lives – to unauthorized third parties through its deliberately inadequate security measures that allows hackers to invade and terrorize homes.” The plaintiff averred that Ring has failed to protect consumers because of these cybersecurity vulnerabilities.
The plaintiff asserted that Ring knew about these vulnerabilities because of previous user accounts and devices that were hacked. In particular, Ring was sued in December 2019 over a hacking vulnerability following an investigation revealing flaws. Currently, there is a pending consolidated lawsuit regarding these hacking vulnerabilities and incidents; in that lawsuit, Ring moved to compel arbitration which the plaintiffs opposed.
Instead of sufficiently addressing these purported issues, the plaintiff argued, Ring has provided “tardy” updates that are still insufficient to protect consumers. The allegations in the instant action seemingly indicate that more than a year after the first lawsuits were filed, the security vulnerabilities persist.
Consequently, the plaintiff proffered that the purported cybersecurity vulnerabilities allow hackers to hack into a Ring device and possibly enter their home networks. For example, Ring has allegedly not addressed security issues such as limiting the number of failed login attempts, basic IP detection, and warning consumers of multiple attempts from different geographic locations, among other things.
Moreover, the plaintiff contended that Ring “shared users’ sensitive personal identifying information with third parties without first obtaining users’ authorization or consent” because Ring integrated multiple third-party trackers. Reportedly, this PII and other sensitive information allowed third parties “to build comprehensive and unique digital fingerprints to track consumer behavior and engage in surveillance” beyond a user’s home. The plaintiff added that Ring continues to sell these devices that have cybersecurity vulnerabilities. As a result, the plaintiff alleged that Ring users are at a high risk for injury or harm from hacking or a data breach.
The putative Purchaser/Accountholder class consists of: “All persons who purchased a Ring security device of any kind from Ring LLC and/or created a Ring account during the applicable limitations period from the state of Massachusetts and nationwide.”
The counts against Ring include: negligence, violation of California Unfair Competition Law, breach of implied contract, unjust enrichment, breach of implied warranty of merchantability, and violation of Massachusetts’ unfair competition law.
The plaintiff seeks class certification, for the plaintiff to be appointed class representative, declaratory judgment in the plaintiff’s favor, an award for damages, restitution, pre and post judgment interest, and an award for costs and fees.
The plaintiff is represented by Devlin Law Firm LLC.