Onity Wins: Hotels That Bought Their Easily-Hacked Door Lock Can't Sue According To Court

from the locked-in dept

The court’s decision turns on three key facts. First, the plaintiffs didn’t allege any actual security breaches; the courts says they are suing “only for the costs of preventing future unauthorized access.” Second, each lock still works in the sense that it “still performs the functions of locking the door upon closing it and unlocking it upon insertion of a properly-coded key card….the locks do not begin to fail on their own upon installation, nor are they all ‘doomed to fail’ eventually.” Third, the court says any future security breaches “could occur only if third parties engaged in criminal conduct to enter Plaintiffs’ hotel rooms.”

The court instead analogized Onity’s situation to data breach cases like Reilly v. Ceredian, where consumers’ personal data is stolen but consumers can’t show directly attributable adverse consequence from this theft. I understood the analogy: just like consumers might fear future harm from identity theft, hotels might fear harm from future breaches of their locks. However, this analogy doesn’t work very well. While there aren’t many actions consumers can take to proactively protect their data after a data security breach (even credit monitoring isn’t particularly useful), everyone benefits if the hotels proactively remediate this problem.



This ruling could help defendants in future privacy violation cases. First, if lock buyers lack standing when a physical object fails to perform its basic function, plaintiffs with more abstract data-related risks shouldn’t either. Second, if the risk of future third party criminal behavior doesn’t count as an injury, data breach victims’ purported concerns about future data misuse (like identity theft) are also irrelevant.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community. Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis. While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

A couple years back, I wrote about the curious case of Onity, a company that makes door locks for hotel rooms. Thing is, their locks fail to do the one thing they're supposed to do, as shown when one man at a Black Hat security conference used a cheap device to access the lock's dataport and cause it to unlock. The idea was that a lock that is defeated by equipment that costs pocket change isn't so much a lock as it is a decoration. Onity, in the company's infinite wisdom, claimed the long term fix, a new system board, was available to its customers...for a price.A class action's worth of hotels weren't satisfied with paying twice for the same product just to make it work, so they filed a lawsuit. That filing was recently rejected by a judge using some awfully strange logic.Let's deal with these in order. Onity's lock has a gaping security hole that's laughably easy to exploit. For anyone with fifty dollars in their pockets, the lock might as well not be there at all. The very nature of the condition of the product is a breach and, in any case, at least is easily understandable as a product that doesn't perform its basic functions, which is what makes the second claim by the judge so galling. Deciding the lock "works" by the most childish evaluation possible is insane. The lock either performs to industry standards or it doesn't, and this one doesn't. As for the argument that a cheap lockpick can also defeat a hardware lock, there is an important difference here, I think. A hardware lock is limited in terms of a fix by its very nature, whereas Onity is proclaiming that an electronic fixexist for its electronic lock, it only wants hotels to pay for the pleasure of having their product work properly.As for that last claim: in what sort of insane world do we live in when a manufacturer that makes a product designed to prohibit illegal behavior can get out of paying to repair its product thatstop illegal behavior because the behavior its product isn't stopping is illegal? An alarm system that fails to alarm when criminals break into a building isn't protected by the fact that the break-in is illegal.The whole ruling appears to be a case of an ill-informed judge, one that may have unfortunate consequences in other areas of the law.Thankfully the ruling is being appealed, so hopefully a future court will get this corrected, but keep in mind that all this is the result of a lock company that makes locks that do not lock if someone comes along with fifty dollars worth of low-end technology. Happy traveling, readers....

Filed Under: digital locks, hotels, locks, security

Companies: onity