The internet of things has been described as the “extension of the internet to the physical world” – sensors and actuators embedded in everyday devices to collect and share data via wireless connections. Almost everyone marketing products to consumers is investing in the IoT, allowing consumer products to get smart by taking advantage of the virtual world of information technology. These interconnected products communicate with one another, with or without the internet, providing tremendous opportunity for innovation and driving fierce market competition.
When consumer products meet the IoT’s cognitive computing capability, the products start to recognize data correlations that enable them to personalize the consumer’s experience. These smart products learn from each user’s interactions with the product and, for that reason, they hold great promise for consumers, from improving wellness by the use of wearable fitness monitors to reducing energy bills by installing smart thermostats.
To tap into the full potential of these products, users share information which necessarily implicates the security of that data. These rapidly evolving technologies pose challenges for regulators, manufacturers and retailers as the worlds of high tech communication and interconnectivity collide with product safety and data security.
Both the Food & Drug Administration and the National Highway Traffic Safety Administration have issued guidance to address the health and safety aspects of potentially hackable medical devices and automobiles respectively. The Federal Trade Commission has been very active in ensuring the adequacy of data security of IoT devices bringing enforcement cases against IoT products in the home, such as cameras and routers, alleging that they were not adequately secured from data breach. The FTC’s IoT guidance outlines their expectations with regard to the security of these products. Lawyers can play a role in mitigating potential security and safety risks with these and other types of products and help get the business prepared for mass adoption.
Mitigating IoT risks involves the intersection of legal disciplines involving, among other things, privacy, cybersecurity, intellectual property and product liability. Here are several ways lawyers can help launch these products and get the company prepared for any potential security or safety risk.
1. Compliance Program Implementation
Lawyers can help inform the development of compliance programs to substantiate the company’s reasonable consideration of potential risks from unauthorized access or misuse of private or sensitive data and from attacks on the system that may compromise data security, safety or even lead to the theft of intellectual property. All of the federal regulatory guidance in this area requires companies to anticipate these risks, address them, and continually monitor for threats to these connected products in order to keep data secure and to ensure the safety of the device.
Developing a compliance program specific to IoT products can ensure sufficient effort has been given to anticipating risks in the design phase and imbedding security into IoT products from their inception. Moreover, with the government demanding monitoring of these products for new vulnerabilities that could lead to safety and security risks throughout the products' life-cycle, lawyers can play a role in ensuring that the compliance program identifies these post-sale safety, security, and privacy risks. Lawyers can help the compliance team decide whether and how to engage with regulators at both the state and federal level, if and when a safety or security issue arises.
2. Product Disclosures and Advertising
In analyzing the product liability cases involving IoT devices that have survived motions to dismiss, a critical issue for risk mitigation is how the product has been advertised, what representations have been made about its security, and what disclosures have been about potential risks. One important aspect of disclosure is just how long the company plans to support a product with software security upgrades. These updates are an important means by which companies can address risks once the product is out in the field. As the U.S. Government Accountability Office Center for Science, Technology and Engineering noted in their May 2017 Technology Assessment on the Internet of Things, Tesla addressed a recall of a defective charger through an over-the-air software update in much the same way our phones now receive software updates. Will those over-the-air updates continue indefinitely for as long as a consumer owns the product?
A public-private sector working group convened by the National Telecommunications and Information Administration recently recommended that manufacturers make security disclosures with regard to IoT devices in much the same way other product warnings and information are conveyed to consumers. They recommended that manufacturers consider disclosing to consumers prior to purchase whether and how a device can receive security updates and describe the anticipated timeline for the end of security update support. Consumers also need to understand their role in securing both their sensitive information as well as maintaining the safety and security of their device.
Often IoT-enabled products enable companies to push out security messages direct to the consumer on the device allowing for creativity in ensuring these critical disclosures are made in a timely and distinctive manner. On-product labels or display messages can inform consumers when software updates critical to security are available, how to ensure they are downloaded, and even how long the company plans to support the product with software updates.
The emerging case law on IoT products also suggests that failures to disclose potential vulnerabilities to hacking may be problematic when a hack occurs and the product was advertised as safe and secure. Many state unfair competition laws allow for claims when the evidence suggests that an affirmative misrepresentation or fraudulent omission is made about a product defect. Lawyers can help ensure that the company makes the right decisions regarding product labeling and advertising and send the right messages when it is on notice of a new potential vulnerability or is investigating a potential intrusion. Whether and what communications to consumers can be viewed as reasonable and accurate can change from the time when the company first learns of a vulnerability to when a patch has been developed and implemented. The same is true during the course of an investigation during an intrusion. One false step in messaging could create significant liability for misrepresentations or omissions.
Disclosures also may be needed with regard to the data IoT devices are collecting for privacy purposes. Lawyers should ask product developers what data is being collected by the product and why, in order to determine whether disclosures should be made regarding data collection and whether consent needs to be obtained. The same creativity these products offer in pushing out security updates can be utilized for privacy messaging as well.
3. Legal Liability Analysis
Lawyers can also assist in sorting out the liability profile of IoT devices and ensure that contract provisions meet the expectations of all the parties. These products tend to be an amalgam of hardware, software and firmware often supplied by different vendors. The security of the final product may depend on the security of any one of those components. IoT devices also change over time as new functionalities are added and others subtracted. The express warranties may or may not fit the actual use application at any given time or in a potential breach scenario. Lawyers can help work through how the technology operates to ensure that otherwise standard warranties, limitations on liability, consequential damages provisions and indemnifications all make sense at the time of product launch and as its use evolves over time.
Lawyers can also help protect the company from potential litigation and regulatory enforcement actions. Both courts and federal regulators are looking for companies to have adopted reasonable cybersecurity measures to protect IoT products. Defining “reasonableness” can be challenging when both the product functionality and the security threat landscape is constantly evolving. By studying the federal enforcement actions, lawyers can take lessons learned and build them into risk mitigation advice for the business. These FTC, NHTSA and FDA guidances all provide similar considerations around what might be considered insufficient security to address vulnerabilities and resulting harm. Regulators are insisting that companies take advantage of readily available security tools and build products that take advantage of what experts have already learned about security, including protecting interfaces between products, monitoring vendor access to systems, and considering tools such as authentication, encryption and limits on permissions. The lawyer on the product development team can also assist in assessing risk. The corruption or exfiltration of data collected on a medical device may present more significant risk and therefore require more oversight to meet the reasonableness standard. Products marketed to children present another set of risk factors to be considered in minimizing risk.
The states too are active in this area proposing laws and guidance on the reasonableness of a security program for liability purposes. For example, in 2016, the California state AG released a report outlining expectations for reasonable expectations for security to protect the personal information from unauthorized access, destruction, use, modification, or disclosure. The case law involving IoT devices is also instructive as to what allegations have formed the foundation of those complaints even if many of those cases have been dismissed on standing because no injury or damage had yet occurred.
Finally, IoT products run on intellectual property, the rights to which must be secured, and they generate data which raises significant issues with regard to data ownership. Who owns or has other rights to machine generated data depends on the facts and application of a combination of contract, trade secret and IP law. These issues become even more complicated when these IoT devices are used in industrial, business and public services applications. Lawyers can assist the business in understanding their data ownership rights and develop licensing and other creative solutions to maximize the business opportunities for that data.
4. Incident Response Planning
Because the security and safety of these products and their data rely so heavily on appropriate and timely remediation, patches and other corrective actions, having the infrastructure to handle those situations up and running at product launch is critical. Just as a company prepares for cyber threats generally, those same best practices for proactive incident response planning should be undertaken in connection with IoT devices.
Companies should consider joining relevant industry trade organizations or developing other means of sharing threat detection information. Companies should also develop crisis plans for handling IoT threats to their devices. As a part of incident response planning, lawyers can play an important role in ensuring that preparation for a security breach anticipates all legal requirements for disclosure to regulators, law enforcement and customers, whether by statute, regulation or contracts with third parties. Public companies need to consider investor expectations and potential SEC implications in the event of a hack.
A safety threat could require reporting to a myriad of agencies depending on the type of product. The U.S. Consumer Product Safety Commission has reporting requirements if a product contains a defect that could present a safety risk and has recalled products when a failure in their wireless technology presents a safety risk. Likewise, NHTSA required a recall involving a vulnerability to hacking in at least one instance and the FDA may play a significant role in any medical device hack. Knowing who and when to contact and assigning that responsibility in advance of any product safety crisis will ensure timely regulatory compliance.
Lawyers play a key role in defending the reasonableness of corporate action in light of foreseeable risks, and the lawyer’s role in protecting a company from the risks of IoT devices is no different. By ensuring legal involvement as these emerging technologies proliferate, not only will the business be in a better position to defend itself in the event a problem arises, but it will also be in the best position to capitalize on the magnitude of the opportunities presented by IoT devices.