By Matthew Przywara
While the Internet of Things (IoT) is proliferating at an extraordinary rate, the regulatory guidelines and legal framework around it are not. The IoT can be defined as “a system of interrelated computer devices, mechanical and digital machines, objects, animals or people that are provided with unique identifiers (UIDs) and the ability to transfer data over a network without requiring human-to-human or human-to-computer interaction.” This suite of technologies allowing the IoT to turn practically every or any device into a source of information by which organizations can create value from user information and the sequence of activities to harvest this information as a “value chain” is known as the “The Informational Value Loop”. The global IoT market is expected to grow to $457 billion by 2020 and is expected to have a potential economic impact of as much as $3.9 trillion to $11.1 trillion by 2025. Given this tremendous growth and reliance on the IoT by our society, it is unsettling to think that current regulatory and legal guidelines are not even close to keeping up with it, as noted by Cheryl Falvey at the first IoT National Institute in 2016 held by the ABA, “the diversity of the IoT field has turned the typical regulatory landscape on its head.” According to a joint report entitled, The Internet of Things (IoT): A New Era of Third-Party Risk, 81% of professionals who work in corporate governance or risk oversight believe that serious and catastrophic breaches caused by an unsecured IoT device are likely to occur within the next two years. Clearly, it is time for industry leaders to catalyze a push for the development of regulatory guidelines and a legal framework to protect not just the manufacturers of such technology but also the consumers.
The two main legal and product liability issues presented by the IoT are related to privacy and data security concerns and bodily injury and physical damage concerns. Regarding privacy and data security, IoT devices typically store to some degree unencrypted personal identification information and/or personal health information which can then be accessed, utilized by a third party, and transmitted without the device owners consent (consolidation of which can also be used as a variant of “Big Data” for marketing purposes). As a way of highlighting how serious the industry-wide flaws regarding IoT device security can be, in 2018 hackers gained access to and then uploaded a casino’s high-roller database by gaining access to the casino’s network through a smart thermostat in the lobby. For consumers or industries like banks who utilize certain IoT devices bringing suits against retailers or manufacturers of such devices, there is no definitive law and most claims seeking recovery in claims for breach of contract, invasion of privacy, unjust enrichment and bailment have not been successful.
There has been more successful with claims based on common law negligence and other related consumer protection statutes. For example “the Federal Trade Commission (“FTC”) has conducted enforcement proceedings based on the position that a lack of reasonable security measures to protect consumer data may constitute unfair or deceptive practice under Section 5 of the FTC Act. It has moved against companies who lose personally identifiable information through ‘inadequate’ data security practices.” For manufacturers and service providers of IoT devices, other than FTC enforcement proceedings, the only legislation they have for guidance to take steps to protect themselves are the 2016 European Network Information and Security Directive (NIS) and The IoT Cybersecurity Improvement Act of 2017, a bill,currently before the U.S. Senate, that seeks to improve the security of Internet-connected devices.
Physical damages concerns range from data breach remediation costs for financial losses to claims of bodily injury and property damage. Although the economic loss doctrine in tort law typically prevents recovery for solely financial losses, as the IoT continues to proliferate, so will IoT device malfunctions that result in bodily injury or property damage, likely increasing theories for recovery based on tort law. For example, General Motors LLC has been named a defendant in a personal injury suit by a motorcyclist bringing a claim of negligence for injuries sustained after an alleged collision with a self-driving vehicle that while in self-driving mode, without warning, “veered into an adjacent lane of traffic without regard for a passing motorist”, which caused the motorcyclist’s injuries. However, beyond cases in which the device or technology fails without any outside intervention, the liability question becomes even trickier when considering the implications of a suit brought when the injury or damage was the result of a deliberate act by a third party hacker.
Of significant concern in this area is that of IoT medical devices like pacemakers, insulin pumps, hospital equipment, and prescription drug labeling computers. Although there are certainly advantages these devices will provide those they serve, the risk of malfunction and hacking poses a very real and significant danger to patients. For example, in 2016 the Food and Drug Administration (“FDA”) issued a recall of 465,000 Abbot Labs pacemakers due to concerns that security loopholes may allow hackers to breach the devices. Despite having nearly 18 months to address these concerns, a “BlackHat” presentation designed to find any existing flaws in the devices successfully did and pointed out that the devices vulnerability is poor software design in that software updates are not signed or encrypted, allowing an attacker to run malware. The fact the manufacturer was on notice, took steps to correct the situation and was still unable to resolve the security concerns, highlights not only the risk of IoT medical devices but also the inherent difficulty in having the ability to prevent hacker attacks. Here, it is likely that the extent to which the manufacturer or seller of such devices took reasonable enough steps to protect against hackers will likely be important in determining liability. Although the FDA has issued cyber-security guidelines for the manufacturers of medical devices, they are optional for the manufacturers to adhere to and in the case of the Abbott Labs recall discussed above, does not make it clear whether their steps in the last 18 months would be considered reasonable or not considering they were still vulnerable to attack.
As of this date, a satisfactory legal or regulatory framework does not exist around the IoT and its many devices. Not only does this not adequately serve to protect the millions, if not billions, of consumers, affected, but it also does not provide the manufacturers of such devices an adequate roadmap for their efforts to ensure their devices safety and soundness from breaches or attacks or to ensure they are protected from liability in any subsequent lawsuits.
As discussed above it is also not clear as to the best course of action for a plaintiff in seeking recovery for any harm resulting in an IoT device breach or attack. To address this issue, because of the potential global impact of IoT devices being connected to the internet/cloud, the international community should act quickly to establish an agreed upon framework that all member countries adhere to. Due to the severity of the damage that can occur from an IoT device breach or attack, it may be prudent for policymakers and courts to consider allowing recovery for plaintiffs bringing lawsuits alleging strict products liability, negligence, and defective or inadequate warnings against manufacturers, processors, distributors, and sellers if or when their products cause personal harm or property damage to users. Allowing such theories to prevail may help serve as a deterrent against inadequate device security and galvanize manufacturers of products already on the market, as well as those who have yet to bring their product to market, to do all they can to ensure their products safety and soundness.
 Linda Rosencrance, Sharon Shea, Ivy Wigmore, Internet of Things (IoT), IoT Agenda (last updated June 2018) archived at https://perma.cc/34ZZ-P6SE.
 Data Foundry, Liability and IoT Devices – A Legal Can of Worms, Data Foundry (May 15, 2018) archived at https://perma.cc/9FQF-X27C.
 Vincent J. Vitkowsky, The Internet of Things: A New Era of Cyber Liability and Insurance, Seiger Gfeller Laurie LLP, Attorneys at Law, (2015) archived at https://perma.cc/FF73-PH5A
Student Bio: Matthew is the Alumni Liaison for the Journal of High Technology Law and is currently a 3L in the Business Law and Financial Services concentration at Suffolk University Law School. He holds a B.S. in Sociology and a minor in Criminal Justice from the University of Connecticut.
Disclaimer: The views expressed in this blog are the views of the author alone and do not represent the views of JHTL or Suffolk University Law School.