This is the third in a series of blogs examining the rapid development of the Internet of Things (IoT) and its consequential impact on product liability risk. The development of the IoT has been so rapid and the applications so ubiquitous across every imaginable industry and commercial enterprise that there has been a failure by many businesses to recognize that with interconnectivity of so many products and services, security is only as strong as the weakest link within the chain of interconnected products.

This structural weakness became all too evident when Fiat Chrysler announced on July 24, 2015, the recall of 1.4 million vehicles due to a cyber security flaw disclosed by technology journal Wired. Hackers were able to remotely commandeer a Jeep’s controls through the vehicle’s Internet communications systems. (See “Hackers Remotely Kill a Jeep on the Highway – With Me in It,” Wired, July 2015.) Along those same lines, the vulnerability of most current-model automobiles was identified and publicized recently by two separate government investigations. (See FTC report and Senator Markey’s report.)

The National Highway Traffic Safety Administration (NHTSA) has commenced an investigation and Fiat Chrysler is working with NHTSA to facilitate this investigation. According to press reports, an open communications port within the Wi-Fi radio system is the weak link. Fiat Chrysler reportedly first identified the flaw in January 2014, but did not know at the time that it could affect critical vehicle controls. The announced fix is a software patch that will be installed by a USB device sent to owners of the affected vehicles.

This recent recall underscores the potentially enormous vulnerabilities IoT products have to hacking if security is not made an absolute top priority. Software failures that lead to a malfunction of a product resulting in physical damage or injury highlight but one predictable vulnerability in mass-produced products. The threat of a deliberate exploitation of a software defect by a malicious third party is an entirely new category of risk the dimensions of which product manufacturers and software companies are only now beginning to recognize. (See “Five Lessons on the ‘Security of Things’ From the Jeep Cherokee Attack,” Forbes Tech July 27, 2015.)

The Fiat Chrysler recall illustrates the importance of adequate cyber security as a necessity from the ground up and provides a preview of how manufacturers and software companies will be required to address these flaws, which can affect millions of products. It also highlights the role of closely working with the appropriate federal safety agency in order to get out ahead of a potential crisis before it results in property damage or injury.

Some Takeaway Considerations

Some articles suggest Fiat Chrysler is working with the software vendor to correct the problem. If so, it may present a liability exposure to the software vendor depending on, among other things, what is contained in the contract between Fiat Chrysler and its software vendor for defects in the software.

Product liability recall insurance can be expensive. If the software vendor is on the hook to absorb part or all of the recall expenses, those expenses may come directly out of its own pocket.

In the immediate aftermath of the publication of the vulnerabilities of motor vehicles to Internet hacking, U.S. Senators Edward Markey of Massachusetts and Richard Blumenthal of Connecticut introduced legislation that would empower NHSTA and the Federal Trade Commission to establish rules to secure vehicles from hacking threats and maintain driver privacy. (See Spy Car Act of 2015.)