In the
United States Court of Appeals for the Seventh Circuit ____________________ No. 20-1698 BRIAN FLYNN, et al., individually and on behalf of all others similarly situated, Plaintiffs-Appellants,
v.
FCA US LLC and HARMAN INTERNATIONAL INDUSTRIES, INC., Defendants-Appellees. ____________________
Appeal from the United States District Court for the Southern District of Illinois. No. 15-cv-855-SMY — Staci M. Yandle, Judge. ____________________
ARGUED OCTOBER 27, 2020 — DECIDED JULY 14, 2022 ____________________
Before SYKES, Chief Judge, and KANNE* and ST. EVE, Circuit Judges.
* Circuit Judge Kanne died on June 16, 2022, and did not participate in the decision of this case, which is being resolved under 28 U.S.C. § 46(d) by a quorum of the panel. 2 No. 20-1698
SYKES, Chief Judge. This class-action lawsuit arises from an alleged defect in the infotainment system in certain model year 2013–2015 Chrysler cars and trucks. The catalyst for the suit was a 2015 article in Wired magazine describing a con- trolled hack of a Jeep Cherokee driven by one of the maga- zine’s journalists. A team of cybersecurity researchers exploited a vulnerability in the Jeep’s “uConnect” infotain- ment system, designed by Harman International Industries, Inc., for installation in vehicles manufactured by FCA US LLC (formerly known as Chrysler). In the magazine’s exper- iment, the researchers were able to access the vehicle’s computer system and take control of many of its functions. FCA immediately issued a recall and provided a free software update to patch the vulnerability the magazine’s experiment had identified. Federal regulators supervising the recall determined that the patch eliminated the vulnera- bility. Other than the Jeep in the Wired test, no other Chrysler vehicle has been successfully hacked. About two weeks after the magazine article appeared, four plaintiffs—Brian Flynn, Michael Keith, and George and Kelly Brown—sued FCA and Harman International on behalf of every consumer who had purchased or leased a model year 2013–2015 Chrysler vehicle equipped with the uConnect infotainment system. They asserted claims under federal and state warranty and consumer-fraud laws based on allegations that the vehicles were vulnerable to cyberat- tacks. Article III standing has been a point of contention throughout the litigation. The plaintiffs’ theory is that alt- hough the alleged cybersecurity defect never manifested again after the controlled Wired hack, they nevertheless No. 20-1698 3
suffered an “overpayment” injury. That is, they claim that they paid more for their vehicles than they would have if they had known about the cybersecurity vulnerability. The overpayment theory survived several pleading-stage chal- lenges. After discovery closed, however—when faced with a factual challenge to standing—the plaintiffs failed to provide evidence in support of their claimed overpayment injury. The district judge dismissed the case for lack of standing. On the record before us, we agree with that disposition. When litigation moves beyond the pleading stage and Article III standing is challenged as a factual matter, a plain- tiff can no longer rely on mere allegations of injury; he must provide evidence of a legally cognizable injury in fact. The plaintiffs did not do so here. In response to the defendants’ factual challenge to standing, they continued to rely on allegations and legal argument rather than pointing to evidence of an actual injury. Accordingly, the case was properly dismissed. But the judge incorrectly dismissed it with prejudice, so we modify the judgment to reflect a dismissal for lack of subject-matter jurisdiction—without leave to amend—and affirm the judgment as modified. I. Background In July 2015 Wired magazine published an article describ- ing a controlled hack of the uConnect infotainment system in a Jeep Cherokee driven by a Wired journalist. The story and accompanying video showed how two cybersecurity re- searchers, working in conjunction with Wired, remotely took command of the Jeep and controlled features from comfort functions like air-conditioning to critical systems like the accelerator, steering, and brakes. 4 No. 20-1698
Within days of the article’s publication, FCA, the manu- facturer of the Jeep, issued a recall for the affected vehicles— model year 2013–2015 Chrysler cars and trucks—and pro- vided customers with a free software update to patch the vulnerability in the uConnect infotainment system identified in the Wired article. The National Transportation Safety Administration monitored the recall and determined that the software patch corrected the vulnerability. Except for the Jeep in the Wired experiment, no FCA vehicle has ever been successfully hacked. About two weeks after the article appeared, the four plaintiffs named here filed this class-action suit against FCA and Harman International, which designed and sold the uConnect system to FCA for installation in its vehicles. The suit alleged that design defects in the hardware and software of the affected vehicles made them susceptible to hacking, and a successful hack could be exceptionally dangerous. The complaint asserted claims under federal and state warranty law, state consumer-protection statutes, and the common law. The plaintiffs sought certification of a nationwide class of all persons who purchased or leased a model year 2013–2015 FCA vehicle equipped with the uConnect infotainment system, with statewide subclasses for Illinois, Michigan, and Missouri. Judge Reagan, who was initially assigned to the case, eventually certified the three statewide classes. Flynn v. FCA US LLC, 327 F.R.D. 206, 227 (S.D. Ill. 2018). FCA and Harman challenged the plaintiffs’ Article III standing on multiple occasions throughout the litigation. The complaint alleged four theories of injury: (1) increased risk of physical harm; (2) increased risk of fear and anxiety; No. 20-1698 5
(3) decreased market value of the plaintiffs’ vehicles; and (4) “overpayment”—that is, the plaintiffs paid more for the vehicles than they would have if they had known about the hacking vulnerability. After a series of motions, the first three injury theories dropped out. More specifically, in their first motion to dismiss, the defendants raised a facial challenge to all four theories of injury, and Judge Reagan granted the motion in part. He rejected the two risk-based theories, which relied on speculative allegations of increased risk of physical injury and anxiety arising from the possibility of a future hack. Those risks, the judge held, were too uncertain to support standing to sue. But the two theories of economic injury survived the pleadings-stage challenge. Accepting as true the plaintiffs’ allegations of diminished value and overpay- ment, Judge Reagan concluded that economic injuries of this type are generally sufficient to support standing. The judge’s ruling applied only to Flynn and Keith be- cause the Browns’ claims had been stayed pending arbitra- tion. When the stay was lifted and the case moved forward on the Browns’ claims, the defendants filed a second dismis- sal motion, which Judge Reagan again granted in part and denied in part on the same basis as the first. The defendants later moved for reconsideration of the partial denial of their dismissal motions after the Ninth Circuit held that the plaintiffs in a similar vehicle-hacking case lacked Article III standing. See Cahen v. Toyota Motor Corp., 717 F. App’x 720 (9th Cir. 2017). Judge Reagan denied reconsideration but certified his decision for interlocutory appeal. A motions panel of this court declined the certifica- tion. The plaintiffs eventually abandoned their diminished- 6 No. 20-1698
Free access — add to your briefcase to read the full text and ask questions with AI
In the
United States Court of Appeals for the Seventh Circuit ____________________ No. 20-1698 BRIAN FLYNN, et al., individually and on behalf of all others similarly situated, Plaintiffs-Appellants,
v.
FCA US LLC and HARMAN INTERNATIONAL INDUSTRIES, INC., Defendants-Appellees. ____________________
Appeal from the United States District Court for the Southern District of Illinois. No. 15-cv-855-SMY — Staci M. Yandle, Judge. ____________________
ARGUED OCTOBER 27, 2020 — DECIDED JULY 14, 2022 ____________________
Before SYKES, Chief Judge, and KANNE* and ST. EVE, Circuit Judges.
* Circuit Judge Kanne died on June 16, 2022, and did not participate in the decision of this case, which is being resolved under 28 U.S.C. § 46(d) by a quorum of the panel. 2 No. 20-1698
SYKES, Chief Judge. This class-action lawsuit arises from an alleged defect in the infotainment system in certain model year 2013–2015 Chrysler cars and trucks. The catalyst for the suit was a 2015 article in Wired magazine describing a con- trolled hack of a Jeep Cherokee driven by one of the maga- zine’s journalists. A team of cybersecurity researchers exploited a vulnerability in the Jeep’s “uConnect” infotain- ment system, designed by Harman International Industries, Inc., for installation in vehicles manufactured by FCA US LLC (formerly known as Chrysler). In the magazine’s exper- iment, the researchers were able to access the vehicle’s computer system and take control of many of its functions. FCA immediately issued a recall and provided a free software update to patch the vulnerability the magazine’s experiment had identified. Federal regulators supervising the recall determined that the patch eliminated the vulnera- bility. Other than the Jeep in the Wired test, no other Chrysler vehicle has been successfully hacked. About two weeks after the magazine article appeared, four plaintiffs—Brian Flynn, Michael Keith, and George and Kelly Brown—sued FCA and Harman International on behalf of every consumer who had purchased or leased a model year 2013–2015 Chrysler vehicle equipped with the uConnect infotainment system. They asserted claims under federal and state warranty and consumer-fraud laws based on allegations that the vehicles were vulnerable to cyberat- tacks. Article III standing has been a point of contention throughout the litigation. The plaintiffs’ theory is that alt- hough the alleged cybersecurity defect never manifested again after the controlled Wired hack, they nevertheless No. 20-1698 3
suffered an “overpayment” injury. That is, they claim that they paid more for their vehicles than they would have if they had known about the cybersecurity vulnerability. The overpayment theory survived several pleading-stage chal- lenges. After discovery closed, however—when faced with a factual challenge to standing—the plaintiffs failed to provide evidence in support of their claimed overpayment injury. The district judge dismissed the case for lack of standing. On the record before us, we agree with that disposition. When litigation moves beyond the pleading stage and Article III standing is challenged as a factual matter, a plain- tiff can no longer rely on mere allegations of injury; he must provide evidence of a legally cognizable injury in fact. The plaintiffs did not do so here. In response to the defendants’ factual challenge to standing, they continued to rely on allegations and legal argument rather than pointing to evidence of an actual injury. Accordingly, the case was properly dismissed. But the judge incorrectly dismissed it with prejudice, so we modify the judgment to reflect a dismissal for lack of subject-matter jurisdiction—without leave to amend—and affirm the judgment as modified. I. Background In July 2015 Wired magazine published an article describ- ing a controlled hack of the uConnect infotainment system in a Jeep Cherokee driven by a Wired journalist. The story and accompanying video showed how two cybersecurity re- searchers, working in conjunction with Wired, remotely took command of the Jeep and controlled features from comfort functions like air-conditioning to critical systems like the accelerator, steering, and brakes. 4 No. 20-1698
Within days of the article’s publication, FCA, the manu- facturer of the Jeep, issued a recall for the affected vehicles— model year 2013–2015 Chrysler cars and trucks—and pro- vided customers with a free software update to patch the vulnerability in the uConnect infotainment system identified in the Wired article. The National Transportation Safety Administration monitored the recall and determined that the software patch corrected the vulnerability. Except for the Jeep in the Wired experiment, no FCA vehicle has ever been successfully hacked. About two weeks after the article appeared, the four plaintiffs named here filed this class-action suit against FCA and Harman International, which designed and sold the uConnect system to FCA for installation in its vehicles. The suit alleged that design defects in the hardware and software of the affected vehicles made them susceptible to hacking, and a successful hack could be exceptionally dangerous. The complaint asserted claims under federal and state warranty law, state consumer-protection statutes, and the common law. The plaintiffs sought certification of a nationwide class of all persons who purchased or leased a model year 2013–2015 FCA vehicle equipped with the uConnect infotainment system, with statewide subclasses for Illinois, Michigan, and Missouri. Judge Reagan, who was initially assigned to the case, eventually certified the three statewide classes. Flynn v. FCA US LLC, 327 F.R.D. 206, 227 (S.D. Ill. 2018). FCA and Harman challenged the plaintiffs’ Article III standing on multiple occasions throughout the litigation. The complaint alleged four theories of injury: (1) increased risk of physical harm; (2) increased risk of fear and anxiety; No. 20-1698 5
(3) decreased market value of the plaintiffs’ vehicles; and (4) “overpayment”—that is, the plaintiffs paid more for the vehicles than they would have if they had known about the hacking vulnerability. After a series of motions, the first three injury theories dropped out. More specifically, in their first motion to dismiss, the defendants raised a facial challenge to all four theories of injury, and Judge Reagan granted the motion in part. He rejected the two risk-based theories, which relied on speculative allegations of increased risk of physical injury and anxiety arising from the possibility of a future hack. Those risks, the judge held, were too uncertain to support standing to sue. But the two theories of economic injury survived the pleadings-stage challenge. Accepting as true the plaintiffs’ allegations of diminished value and overpay- ment, Judge Reagan concluded that economic injuries of this type are generally sufficient to support standing. The judge’s ruling applied only to Flynn and Keith be- cause the Browns’ claims had been stayed pending arbitra- tion. When the stay was lifted and the case moved forward on the Browns’ claims, the defendants filed a second dismis- sal motion, which Judge Reagan again granted in part and denied in part on the same basis as the first. The defendants later moved for reconsideration of the partial denial of their dismissal motions after the Ninth Circuit held that the plaintiffs in a similar vehicle-hacking case lacked Article III standing. See Cahen v. Toyota Motor Corp., 717 F. App’x 720 (9th Cir. 2017). Judge Reagan denied reconsideration but certified his decision for interlocutory appeal. A motions panel of this court declined the certifica- tion. The plaintiffs eventually abandoned their diminished- 6 No. 20-1698
value theory of injury, acknowledging during a hearing on class certification that they lacked market data to support it. Only the alleged overpayment injury remained. As discovery proceeded, the plaintiffs produced reports by two proposed damages experts. Michael Kemp, a consumer-survey expert, designed and conducted a survey measuring the value consumers placed on various vehicle attributes, including cybersecurity. Michael Williams, an economist, used the results of Kemp’s survey to calculate the hypothetical change in supply and demand that would have occurred if the defendants had disclosed the alleged defects. Williams posited that the average consumer would have paid between $5,478 to $8,701 less for his vehicle had he known about the cybersecurity vulnerabilities. In the meantime, Judge Reagan retired, and the case was reassigned to Judge Yandle. After discovery closed, the defendants filed a flurry of motions, including a motion to decertify the classes; a new motion to dismiss for lack of subject-matter jurisdiction, this time raising a factual chal- lenge to standing based on insufficient proof of injury in fact; a motion for summary judgment; and motions to exclude the testimony of Kemp and Williams under Daubert v. Merrell Dow Pharmaceuticals, Inc., 509 U.S. 579 (1993). The motion to dismiss for lack of standing took direct aim at the alleged overpayment injury—the only remaining theory of injury— arguing that the plaintiffs had no competent evidence that they paid more for their vehicles than they would have if they had known about the claimed cybersecurity defect. The plaintiffs responded to the dismissal motion but did not call the court’s attention to any evidence supporting their overpayment theory. Instead, they pointed to Judge Reagan’s No. 20-1698 7
earlier decisions and invoked the doctrine of law of the case, urging Judge Yandle to summarily deny the latest dismissal motion on that procedural ground. To the extent that their response moved beyond the law-of-the-case doctrine, the plaintiffs fell back on the allegations in their complaint and reprised their argument that an overpayment injury is legally cognizable as a general matter. They did not cite any factual support for their claimed injury. Judge Yandle turned first to the motion to dismiss for lack of standing—recognizing, appropriately enough, that jurisdictional challenges come before merits challenges. After quickly rejecting the law-of-the-case argument, she held that the plaintiffs failed to adequately support their claimed overpayment injury. Other than the single controlled-environment hack in the Wired experiment, the cybersecurity vulnerability never manifested in any vehicle equipped with the uConnect system, so she concluded that the plaintiffs had received exactly what they bargained for and had not shown any financial harm. On this reasoning she dismissed the case for lack of standing and did not reach the other motions. Although her ruling was clearly jurisdic- tional, not merits-based, she dismissed the case with preju- dice. II. Discussion We review de novo the district court’s dismissal for lack of Article III standing. Fox v. Dakkota Integrated Sys., LLC, 980 F.3d 1146, 1151 (7th Cir. 2020). The Constitution limits the jurisdiction of the federal courts to “Cases” and “Con- troversies.” U.S. CONST. art. III, § 2. Standing is an essential component of the case-or-controversy requirement, Lujan v. Defs. of Wildlife, 504 U.S. 555, 560 (1992), and consists of three 8 No. 20-1698
familiar elements: the plaintiff must have “(1) suffered an injury in fact, (2) that is fairly traceable to the challenged conduct of the defendant, and (3) that is likely to be re- dressed by a favorable judicial decision,” Spokeo, Inc. v. Robins, 136 S. Ct. 1540, 1547 (2016). Standing is a core component of the plaintiff’s case, and it must be established in the same way as any other matter on which he bears the burden of proof. Lujan, 504 U.S. at 561. Accordingly, “the proof required to establish standing increases as the suit proceeds.” Davis v. FEC, 554 U.S. 724, 734 (2008). Our cases thus recognize two forms of standing challenges, each with its own procedural and evidentiary rules. See Silha v. ACT, Inc., 807 F.3d 169, 173 (7th Cir. 2015). A facial challenge attacks standing on the pleadings, arguing that the plaintiff lacks standing even if the well-pleaded allegations in the complaint are taken as true. Id. A factual challenge, by contrast, asserts that there is in fact no stand- ing. See Apex Digit., Inc. v. Sears, Roebuck & Co., 572 F.3d 440, 444 (7th Cir. 2009). In response to a factual challenge, the plaintiff can no longer rest on the allegations in the com- plaint but must adduce specific evidence to satisfy each of the elements necessary to establish his standing to sue. Id. Faced with a factual challenge to standing, the plaintiffs failed to meet their burden here. The operative motion to dismiss for lack of standing—filed at the close of the discov- ery—argued both that the alleged overpayment injury was not cognizable as a legal matter and that the plaintiffs had no competent evidence that they suffered an overpayment injury as a factual matter. In response to the latter challenge, the plaintiffs could “no longer rest on … ‘mere allegations’” but instead had the burden to “‘set forth’ by affidavit or No. 20-1698 9
other evidence ‘specific facts’” supporting their standing to sue. Lujan, 504 U.S. at 561 (quoting FED. R. CIV. P. 56 (1992)). The plaintiffs clearly recognized the latest dismissal mo- tion as a factual challenge to standing. Indeed, they conced- ed as much at oral argument and spent much of their appellate brief disputing the proper evidentiary standard for addressing factual challenges to standing. Yet their response to the motion did exactly what Lujan says is inadequate in such circumstances. Instead of citing specific evidence in the record and developing a factual argument demonstrating that they suffered an overpayment injury, they relied on mere allegations from their complaint. 1 The plaintiffs now point to their expert reports as evi- dence in support of an overpayment injury. But they do so for the first time on appeal, which is far too late. We have repeatedly reminded litigants that we will not consider evidence and factual arguments that they did not present to the district court. E.g., Packer v. Trs. of Ind. Univ. Sch. of Med., 800 F.3d 843, 849 (7th Cir. 2015) (“[T]he dispositive point is that [the plaintiff] did not cite specific parts of that record in support of relevant factual arguments, as the rules required her to do.”); Milligan v. Bd. of Trs. of S. Ill. Univ., 686 F.3d 378, 389 (7th Cir. 2012) (holding that the plaintiff forfeited reli- ance on evidence not cited in a brief opposing summary judgment). Our task is to review the district court’s decision
1 The plaintiffs cast their argument in the form of a truism: they main- tained that consumers would pay less for an “unsafe” car than they would a “safe” car. But it was their burden to produce evidence in response to a factual challenge to standing. See In re Johnson & Johnson Talcum Powder Prods. Mktg., Sales Practices & Liab. Litig., 903 F.3d 278, 288 (3d Cir. 2018). 10 No. 20-1698
as the issue was presented by the litigants. Packer, 800 F.3d at 848–49. As a fallback argument, the plaintiffs insist that as the nonmovant they are entitled to the benefit of the entire record. This contention rests on Rule 56 of the Federal Rules of Civil Procedure, which governs motions for summary judgment, but that rule does not help them. Rule 56 permits the court to consider uncited materials in the record when ruling on a motion for summary judgment but requires the court to consider “only the cited materials.” FED. R. CIV. P. 56(c)(3). And the rule assigns to the parties the responsibil- ity to “cit[e] to particular parts of materials in the record” when asserting that genuine factual disputes preclude summary judgment. Id. R. 56(c)(1)(A); see also Compania Administradora de Recuperacion v. Titan Int’l, Inc., 533 F.3d 555, 562 (7th Cir. 2008) (citing Rule 56 in concluding that the district court permissibly ignored evidence cited in support of one factual dispute when considering a different issue). This latter requirement is especially important in cases involving a voluminous record. See Sommerfield v. City of Chicago, 863 F.3d 645, 650 (7th Cir. 2017). This one fits the bill. Reliance on Rule 56 is a nonstarter. The plaintiffs also reiterate their argument that the law- of-the-case doctrine barred Judge Yandle from reconsidering the question of standing because Judge Reagan had already ruled on the issue on multiple occasions. The law-of-the-case doctrine “posits that when a court decides upon a rule of law, that decision should continue to govern the same issues in subsequent stages in the same case.” Arizona v. California, 460 U.S. 605, 618 (1983). When a case is transferred between district judges midway through litigation, the doctrine No. 20-1698 11
discourages the new judge from reconsidering rulings made by the original judge. Gilbert v. Ill. State Bd. of Educ., 591 F.3d 896, 902 (7th Cir. 2010). The doctrine did not tie Judge Yandle’s hands for two reasons. First, law of the case is a discretionary doctrine, not a rigid bar, Pepper v. United States, 562 U.S. 476, 506 (2011), and its force is lowest when applied to jurisdictional ques- tions, Chi. Joe’s Tea Room, LLC v. Village of Broadview, 894 F.3d 807, 818 (7th Cir. 2018). To be sure, questions of federal jurisdiction are not entirely exempt from the doctrine. See Sierra Club v. Khanjee Holding (US) Inc., 655 F.3d 699, 704 (7th Cir. 2011). When there are “no significant differences in the legal landscape” since the prior ruling, courts may apply law of the case and refuse to reconsider the precise jurisdictional issue previously decided. Id. at 705. But a federal court’s ongoing obligation to assure itself of its jurisdiction means that revisiting such matters is almost always on the table. See 18B CHARLES ALAN WRIGHT ET AL., FEDERAL PRACTICE AND PROCEDURE § 4478.5 (3d ed. 2019). Second, law of the case does not apply at all where the precise issue presented differs from the one decided earlier. Gilbert, 591 F.3d at 903. As the plaintiffs acknowledge, Judge Yandle was presented with a factual challenge to standing, while Judge Reagan ruled only on facial challenges. That is, the defendants sought a standing ruling as a factual matter after the close of discovery. They had every right to do so. See Chi. Joe’s Tea Room, 894 F.3d at 818 (holding that the successor judge properly reconsidered mootness after discovery produced a more fully developed record). Hold- ing that the denial of a facial challenge to standing precludes a later factual challenge to standing would contradict the 12 No. 20-1698
Supreme Court’s instruction that “the proof required to establish standing increases as the suit proceeds.” Davis, 554 U.S. at 734. We close with a housekeeping matter. As we’ve noted, the judge dismissed the case for lack of subject-matter jurisdiction based on the plaintiffs’ failure to establish Article III standing, but her order reflects a dismissal with prejudice. That’s a contradiction: a dismissal with prejudice is a merits disposition, but the failure of subject-matter jurisdiction precludes consideration of the merits. Frederiksen v. City of Lockport, 384 F.3d 437, 438 (7th Cir. 2004). When a district court concludes that the plaintiff lacks standing— and thus that the court lacks jurisdiction—the judge may either dismiss without leave to amend or dismiss without prejudice. MAO–MSO Recovery II, LLC v. State Farm Mut. Auto. Ins. Co., 935 F.3d 573, 581 (7th Cir. 2019). The former disposition is appropriate here. We therefore modify the judgment to reflect a dismissal for lack of subject-matter jurisdiction without leave to amend. As modified, the judg- ment is AFFIRMED.