After several twist and turns, on July 7th Intel Corp. succeeded in achieving final dismissal of class claims alleging that Intel knew about purported security vulnerabilities in its microprocessors and failed to disclose or mitigate those vulnerabilities. The case, In Re Intel Corp. CPU Marketing, Sales Practices and Products Liability Litigation, 3:18-md-02828, had a long history—a narrowed set of class claims had survived three prior rounds of motions to dismiss. Had the claims been allowed to go forward a fourth time, businesses may have faced additional liability concerns for attempting to address cyber vulnerabilities in their products before those exploits became public and susceptible to exploitation by hackers.
According to Plaintiffs, independent security researchers uncovered potential security vulnerabilities in microprocessors made by Intel that made the microprocessors susceptible to certain exploits, which have become generally known as “Meltdown” and “Spectre.” Intel learned about the security vulnerabilities in mid-2017, but kept information about the security vulnerabilities under embargo until early 2018. Keeping information about security vulnerabilities under embargo for a limited period of time is a traditional and lawful practice that allows a company to implement security fixes before hackers learn of the potential exploits. The dispute in this case centered on the length of the embargo and the allegation that Intel continued to sell its product during that timeframe.
The Court had initially held that Plaintiffs sufficiently stated a claim for unfair conduct under the California UCL, among a handful of other claims, predicated on allegations that Intel delayed lifting the embargo until after the 2017 holiday season so it could continue to sell devices powered by the allegedly vulnerable microprocessors. However, on reconsideration, the Court determined that Plaintiffs had disavowed that theory, and instead “Plaintiffs [were] simply alleging that Intel sold product during a normal and reasonable embargo with ‘asymmetrical information.’” The Court held that this allegation was insufficient to support an unfair conduct claim and dismissed all remaining claims with prejudice.
The Court noted that its rulings were not intended “to declare or establish any specific default embargo period, let alone one that would apply under all circumstances.” This may come as a relief to tech companies who have to employ embargoes to resolve current or future security vulnerabilities, where establishment of a default embargo period could overly restrict the timeframe necessary to resolve the issues.