The Internet of Things (IoT) is a rapidly evolving way of thinking about the internet and how the devices we use every day interact. IoT describes the developing system in which “smart” devices interact with each other through the internet to gather and exchange data to provide additional functions, security and ease-of-use for human users. While it provides significant promise as a means of creating value and convenience for consumers, it also raises thorny legal issues. This article will address issues relating to liability for damages arising out of device or system malfunctions or outside malfeasance. In a future installment, we will address contractual and other measures to manage and apportion risks and liabilities.
The internet and the devices we use to access it have evolved dramatically. Early websites operated much like brochures, providing basic information about the site owner and its products or services. Since the advent of smartphones and tablets (Apple introduced the first iPhone in 2007), the internet has evolved into a more interactive realm, allowing website owners and consumers to engage and share information. IoT is taking connectivity to a higher and even more interactive level. Some consultants define IoT as the point in time when the number of internet-connected devices exceeded the number of people. This first occurred in 2010, when the number of connected devices reached 12.5 billion as compared to the worldwide human population of 6.8 billion. CISCO recently projected that the number of connected devices will exceed 50 billion by 2020.
Although the space is quickly evolving, current products, applications and services that rely on IoT connectivity include:
- Smart appliances, systems and applications, like ADT, Vivint and Ring, link various home systems (such as thermostats, alarms, electronic doors, power and home networking) with the user’s smartphone for remote monitoring and activation;
- Municipal utility systems use remote sensing devices (in the electrical grid, on natural gas meters and on water meters) to detect flow status and leaks;
- Friend-finder and family security applications, such as Life360, FindMyKids and similar apps, allow users to locate and monitor family members, including tracking teenage drivers’ travel and rate of speed and alerting parents to travel interruptions suggesting a traffic accident;
- Internet-connected toys, like HelloBarbie, VTech and various learning toys, collect and store personal data and recorded messages and allow users to remotely monitor and communicate with children and even pets;
- Wearable, connected medical devices collect and monitor biometric data, vital signs and other diagnostic parameters and communicate with the user, caregivers and health care providers to assist in monitoring or diagnosing medical conditions or remind the user to take medications;
- Personal health and fitness wearable devices, like FitBit and others, collect biometric data and provide information and suggestions to the user on exercise and health.
These devices and applications offer powerful functionality and benefits to their users because of the way they retrieve data from disparate sources, process that data, and deliver it to the user in a way that creates a new type of value (like delivering a message that the power is out at your house, allowing for automatic or remote activation of HVAC systems, or notifying a caregiver than an elderly family member is not following usual activity patterns). These same innovative features also create the potential for new types of liability arising from security and privacy risks.
Products liability law evolved to assign responsibility for injuries resulting from defective products to product manufacturers (and sellers). The primary goals of products liability law are to compensate injured parties and assign responsibility to the party (the manufacturer) in the best position to ensure the safety of its products. Laws vary from state to state, but generally a product manufacturer will be “strictly liable” (without regard to fault) for personal injuries and property damage caused by a defective product. Products may be deemed defective based on: design defects (which may be determined by either a risk/benefit analysis or a consumer expectations test); manufacturing defects (does the product conform to specifications); or inadequate warnings (about foreseeable risks of a product).
Traditional products liability principles apply reasonably well to IoT devices when the device itself malfunctions. For example, liability for burst pipes due to a smart thermostat’s failure to activate can be analyzed and allocated under traditional design or manufacturing defect concepts. The potential for a malfunction due to a software failure, however, adds a layer of complexity to the analysis, including determination of whether the software was defective and allocation of liability for any defect between the device manufacturer and the software supplier.
Liability is more difficult to judge in the IoT realm, where devices are increasingly integrated into networks. In the past, manufacturers have been held liable where defects in their products caused a series of failures in other, integrated products only when the manufacturer “substantially participated” in the integration of its products into the overall design of the network. This notion makes less sense for IoT devices intended to collect and communicate data to a network of other devices that have little utility apart from the integrated network.
Privacy threats and liability for security breaches fit less neatly in the traditional products liability framework, which may require an evolution of products liability law. The lack of clear, universal industry standards for IoT security makes proof of the existence of a design defect difficult.
Issues of liability allocation, product misuse and proximate cause also are more complex in the context of IoT. For example, if a manufacturer of a wearable device measuring biometric information that displays data through an app on the wearer’s smartphone runs on software that is susceptible to hacking, will the manufacturer be liable for resulting harm if a hacker exploits that weakness to steal the user’s personal information? Who is responsible when a hacker accesses patient data from a health monitoring device, interferes with the functioning of the device, or disables a hospital network? How will liability be allocated when a security breach is due, at least in part, to a consumer’s failure to take appropriate measures to secure his/her devices and data? What if a user fails to heed warnings of vulnerabilities or follow instructions to minimize risks? The intervening criminal activity of a hacker also raises proximate cause issues that may preclude a manufacturer’s liability under a traditional tort law analysis. Consistent with the risk allocation goal, however, courts may be tempted to apply concepts of economic efficiency to assign liability to IoT product manufacturers on the theory that device manufacturers and software developers are better positioned than consumers to anticipate and avoid cybersecurity risks.
The types of damages resulting from security breaches typically are not recoverable under existing products liability law. In most instances, products liability law permits recovery of damages arising from personal injury or physical damage to property but bars recovery for purely economic losses, including business disruption and other purely financial losses. Will this traditional shield from economic damages hold up when a device manufacturer’s software defect allows a hacker to engage in mass financial fraud or identity theft, or creates massive business interruptions from a disabled network? Alan Butler, senior counsel for the Electronic Privacy Information Center, recently suggested in a prominent law review article that this traditional rule should not bar recovery in all circumstances, and the law may evolve to allow for recovery of catastrophic consumer and business losses.
Legislators and regulators also may get involved. Legislatures tend to be reactive, adopting new laws to address perceived wrongs when society and the marketplace experience pain. In the face of consumer reaction to catastrophic data security breaches, Congress or state legislatures may adopt data security legislation or regulations imposing liability on parties that collect, store or transmit data in the IoT realm. In November 2018, the U.S. House passed the “SMART IoT Act,” which directs the Secretary of Commerce to conduct a study and report to Congress on internet-connected devices and activities of federal agencies related to IoT devices. The bill was referred to the Senate Committee on Commerce, Science, and Transportation but not passed before the end of the 115th Congress. Likewise, California in 2018 passed the country’s first cybersecurity law pertaining to IoT devices (it will take effect in early 2020, just as the state’s overall new privacy law also becomes effective).
In May 2018, the U.S. Consumer Product Safety Commission (CPSC) held a public hearing to receive input “about potential safety issues and hazards associated with internet-connected consumer products” to inform its future risk management work. CPSC specifically stated, however, that it does not consider “personal data security and privacy issues that may be related to IoT devices” to be hazards that it would address.
While the emerging IoT marketplace has the potential for enormous economic value creation, it also presents the potential for significant liability. Traditional products liability law likely will evolve to address the challenge of IoT, either through judicial decisions or new legislation, and market participants should remain on guard for those changes. As the law evolves, product manufacturers, app developers and network operators also should be proactive, by planning for data security in advance, analyzing and addressing foreseeable physical and security risks during product design, developing effective consumer warnings and instructions and implementing protections in their network contracts to minimize their risk. In our next article, we will discuss contracts best practices, including contractual means to manage risks relating to products liability and information/cybersecurity matters.
Donald P. Boyle Jr., Mitzi L. Hill, LeeAnn Jones and Jonathan B. Wilson are partners in the law firm of Taylor English Duma.