We consider the potential product liability implications of cyber attacks on smart devices.
In the hit film ‘Kingsman: The Secret Service’, a British spy seeks to outsmart a cyber-criminal who sends a signal to smartphones, causing people to spontaneously attack each other. Alarmingly, the prospect of our mobile handsets receiving signals that impact on our wellbeing is not as far-fetched as we might think.
Wherever there is an electronic/smart device in use there is potential for an attack, which may cause injury and damage. Could smart applications on our mobile phones designed to monitor our health, for example glucose readings for diabetics, be at risk of a cyber attack, creating significant risks for users relying on false information?
According to a study by the Freedonia Group, around 2.5 million people already rely on implantable medical devices to manage their medical conditions. Medical devices that use a wireless connection, such as pacemakers, defibrillators, monitors and insulin pumps, are increasingly being used and are considered to be at risk, as are automated drug distribution systems.
As long ago as October 2014, the United States (US) Department of Homeland Security was investigating about two dozen cases of suspected cybersecurity flaws in medical devices and hospital equipment. Officials feared these could be exploited by hackers, for example by instructing an infusion pump to overdose a patient with drugs, or forcing a heart implant to deliver a deadly jolt of electricity.
In January 2016, the US Food and Drug Administration, which regulates the sale of medical devices, released guidelines for manufacturers and healthcare providers to better cyber-secure medical devices.
These risks and vulnerabilities were highlighted in a Court of Justice of the European Union (ECJ) decision in March 2015, Boston Scientific Medizintechnik GmbH v AOK Sachsen-Anhalt – Die Gesundheitskasse, Betriebskrankenkasse RWE.
The cases concerned:
- Pacemakers, where the sealing component might gradually deteriorate leading to premature battery depletion, resulting in loss of pacing output without warning.
- Implantable cardioverter defibrillators, where a magnetic switch might stick in the closed position and could preventing the treatment of ventricular or atrial arrhythmias.
The ECJ considered whether a person’s medical implant could be held to be ‘defective’ if the product batch had been recalled due to higher than expected failure rates for a specific reason, even if that person’s particular implant seemed to be functioning properly. The ECJ held that it could.
This is a landmark decision. It suggests that a product could be held defective under the Consumer Protection Act (CPA) 1987 even if it has not failed, but is subject to a product recall. In addition, it is evident that the public is entitled to have a high expectation in respect of medical implants.
It is arguable that the decision could impact on manufacturers of high-risk smart devices generally. Consider an example where one high-risk smart device is shown to be at risk of a cyber attack. Other smart device products of the same batch, which have not yet been attacked but are perceived to be vulnerable to attack, could be regarded as ‘defective’.
Product liability claim
Where a claim relates to software vulnerability/cyber security, allegations are likely to be made that the product is defective.
Section 2(a) CPA 1987 would impose strict liability on the producer of software and/or a smart device if:
- The product’s vulnerability results in property damage and/or physical injuries.
- By causing damage it was not as safe as “persons generally are entitled to expect”.
Instructions or warnings will be fundamental to liability.
Complexities will arise as to who is actually responsible for an alleged defect. Coverage for liability for bodily injury or property damage is typically provided in general liability policies. However, in May 2014, the Insurance Services Office introduced a new set of exclusions that excluded coverage for cyber attack related liabilities.
Smart device manufacturers should be mindful that insurance policies may not provide coverage for every consequence of a cyber attack. They could be left facing substantial costs in defending related product liability claims, and also irreversible reputational damage.