Liability and IoT Devices – A Legal Can of Worms

May 15, 2018 | Insights

As many cybersecurity professionals are aware, the Internet of Things (IoT) is proliferating without any established legal framework or regulatory guidelines. According to a Forbes article, the IoT market is expected to reach $457 billion by 2020, up from $157 billion in 2016. The interconnectivity of network-enabled devices makes the IoT a can of worms when it comes to legal liability. U.S. regulatory agencies, such as the Department of Commerce, the FTC, and the FCC are a long way from establishing clear standards for IoT devices. Could the business that owns a connected device be held responsible for carelessness in the event of a data breach or an attack, or does liability fall only to the manufacturer or the software provider?

Imagine a smart home or a smart factory in which all devices communicate with each other. These devices aren’t all necessarily from the same manufacturer, and they may involve different software providers. They send and receive data from multiple sources. “The attack surface is exploding from an information security point of view,” noted Andrzej Kawalec from HPE security services to Computer Weekly.

The IoT is Different from Past Technological Legal Issues

So far, the Department of Commerce has concluded that the IoT is different from any technological issues society has already faced. So many things can go wrong with network-enabled devices, including interception of data (man-in-the-middle attacks) and DDoS attacks in which the device is compromised and used as part of a botnet. Because IoT devices are so interconnected, determining liability will be more difficult than ever.

With traditional products, liability has normally fallen to the manufacturer/service provider. However, as Cheryl Falvey, co-chair of Crowell & Moring’s Advertising Product Risk Management Group, noted at the first Internet of Things National Institute in 2016 held by the American Bar Association, “the diversity of the IoT field has turned the typical regulatory landscape on its head.” If a user of an IoT product doesn’t take basic cybersecurity precautions and an attack occurs, who’s liable? Is it the manufacturer, software provider, the user’s company, or all the above? If the user interconnects a device and uses it for a purpose that is not intended by the manufacturer or software provider, who’s responsible? These are risks your company should be thinking about, whether you are a user or a producer of IoT products.

Where We Are Today

Clete Johnson, Senate Adviser for Technology Policy from the Department of Commerce, also participated in the American Bar Association’s Internet of Things National Institute. He outlined the Department’s approach to regulating the IoT as focused on the following four broad priorities: (1) a free and open internet; (2) trust and confidence in the privacy and integrity of the online economy, both from business and from the public; (3) broad internet access; and (4) quote, innovation, innovation, innovation.

So far the only legislation manufacturers and service providers have to go on is the 2016 European Network Information and Security Directive (NIS), which imposed the first general obligation to maintain adequate security in certain network and information systems, and a bill that is currently proposed in the U.S. Senate – the IoT Cybersecurity Improvement Act of 2017. Unfortunately, there hasn’t been much movement on this bill since it was introduced.

What Can You Do to Protect Your Company?

If you are a user of IoT products, be sure to follow cybersecurity best practices. NIST initiatives for the IoT is a good place to start. If you are a manufacturer of IoT products, consult with a law firm that has experience in this area. Andrew Austin, DR Partner with Freshfields Bruckhaus Deringer, who works with IoT clients in the U.S. and in Europe says that for now, who pays in a liability suit will be decided in large part by what is written in contracts. He recommends:

  • Be as clear as possible in your contracts about what a product is and isn’t designed to do.
  • Whether you are the hardware provider, network provider, or a software vendor, be clear about the allocation of risk.
  • Try to obtain rights to access data to determine the root cause if something goes wrong.
  • Explore cyber insurance options. While choices are still limited, this market continues to grow and evolve.
  • Be proactive. Monitor performance and act quickly to correct flaws or vulnerabilities in your product/service.