On May 16, 2018, the Consumer Product Safety Commission held a public hearing to receive testimony on the Internet of Things (IoT) and issues related to product safety (IoT Hearing). Thirteen diverse stakeholders presented at the IoT Hearing. Of the thirteen presenters, there were three representatives of consumer organizations, one academic, one security expert and researcher, one representative from a testing lab coalition, one representative from a testing and voluntary consensus standards organization, two representatives from international interests, and three representatives from industry trade associations or coalitions. While each presenter had his/her own agenda, there was some agreement: There are potential significant safety, privacy, and product liability issues associated with emerging IoT technologies. At the hearing, the CPSC learned there are currently 8.4 BILLION connected things, and 5 BILLION consumer applications—numbers allegedly on track to double by the year 2020.
How can the CPSC address the related safety issues?
The consumer activists described the situation as “urgent” and pressed the Commissioners to provide a certification process for IoT devices and stronger mandatory regulations for manufacturers that incorporate software technologies into their products. The industry trade associations/coalitions advocated for a voluntary consensus-based, industry-led approach—which they have already started to address. They argued that their approach would be the most cost-efficient and efficient way to implement the most up-to-date technologies to address the growing problem.
Were product liability issues sufficiently addressed?
The product liability issues associated with IoT devices—smart appliances, alarm systems, thermostats, fire sprinkler systems, medical devices and monitors, wearable devices, and self-driving cars, to name a few—pose vulnerability issues when the software is hacked, malfunctions, or fails to update. The hazards allegedly associated with these device malfunctions are fire, burn, shock, tripping or falling, laceration, contusion, chemical exposure, bodily injury, and even death. Indeed, the IoT issues have already affected the medical device community, as the FDA issued recalls for MedTronic devices in 2004, 2012, and 2016 due to software issues that allegedly led to patient overdoses, injuries and death. Similar injuries were allegedly reported from cardiac devices intended to prevent heart attacks.
One panelist even raised the possibility that a hacker could potentially infiltrate an entire municipality or hospital system through a connective product, which would have the potential to affect the lives of millions of people—at an astronomical cost. These types of hacker activities were described as “terrorism.”
What are the related legal ramifications of IoT?
In states that recognize the consumer expectation test, additional questions will apply to these design defect allegations. When a consumer purchases an IoT device, does the consumer expect that hackers will be able to infiltrate the software? Does the consumer expect that the product will be designed in a manner in which the software can malfunction if the software is not updated in a timely manner, or if the software update is interrupted? If answered in the negative, the manufacturer may be subject to liability.
Are the risks of IoT covered by current regulations?
Some presenters argued that the current regulations, such as ASTMF963, already address the potential product hazards presented by IoT devices in connection with toys, but for other product categories there are only voluntary standards or potential voluntary standards.
Other testimony suggested that strict liability laws were “sufficiently flexible,” so more stringent regulations were not warranted. The question now is not if, but when plaintiffs’ firms will sue and, these issues will have to be resolved by courts.
What are the privacy issues?
As you can imagine, the IoT issue will not only impact product liability laws, it also implicates personal privacy. Horror stories were relayed to the CPSC, including examples of baby monitors that allowed hackers to tell children they are being watched and to repeat “sexual noises.” Less horrific accounts involved “listening” devices that recorded conversations in the home without consent. While the compensation potential for privacy issues may be less than for personal injury products liability, it is nonetheless concerning, particularly from a class action perspective.
Are the risks covered by insurance?
The IoT issue may also implicate insurance coverage with respect to hackers and potential product, technology, or network failures. If the hacker activities are deemed “terrorism,” coverage will likely be excluded or significantly limited. The question remains, will stakeholders such as software developers and/or manufacturers have sufficient coverage to pay for the expenses they will ultimately incur for IoT claims? More and more, relevant stakeholders do not obtain, or obtain insufficient, cyber coverage. All IoT stakeholders (manufacturers, importers, software designers, app developers, etc.) must evaluate their insurance coverage and anticipate related issues of new IoT technology. Coverage issues and exclusions may be more of an issue than expected if the insureds do not focus on these details before an acute IoT product failure occurs.
What can the manufacturers do now to avoid certain potential liability?
The application security expert provided a list of seven compliance suggestions: (1) a Bill of Materials for every device; (2) mandatory security assessments; (3) end-of-life dates for devices; (4) Service Ecosystem Transparencies; (5) Component Vendor Attestation of Security; (6) “Security Score,” or safety rating, on packaging; and (7) Required Technical Criteria. The costs of implementation were not addressed. Additionally, stakeholders should look at the current voluntary standards that deal with the specific technology being used as well as the product category of the product and devices. Current voluntary standards provide an indication of where the potential security and safety issues may exist.
What is next at the CPSC in connection with IoT products and safety?
The CPSC clearly believes that further conversation is required to address these issues, as the May 16, 2018 testimony elicited more questions than answers. For instance:
- What is the best way to regulate the IoT?
- Are current laws and regulations sufficient to hold product and software manufacturers liable for injuries to consumers?
- Are the current/proposed security and privacy standards sufficient to address the issue?
- Should a strong security system be “built in by design”?
- Should the U.S. follow the international community, which has already started to address this issue?
- Should products be placed and regulated in different safety categories?
- Would regulations impede innovation that could ultimately improve safety?
All participants—and the Commission itself, judged by its questions to the panel—tended to believe that further collaboration with agencies such as the FDA, FCC, NTIA, NIST, NHTSA, and the FTC will be needed to address these important questions. For now, it does not appear that answers to these questions are close to resolution. The CPSC plans to attend the ICPHSO international summit in Brussels on the issue in November, potentially create an inter-agency working group, and hold additional forums to gain relevant expertise on the issues. Hopefully, the CPSC will engage with technology experts such as software designers and app developers who will undeniably have more information about the potential short- or long-term consequences and innovations associated with this new technology. And finally, all stakeholders, including the CPSC, should be watching how Congress decides to deal with IoT technology and government oversight in the coming months. On May 22, 2018, Chairman Greg Walden of the House Energy and Commerce Committee said in his opening statement to the Digital Commerce and Consumer Protection Subcommittee, “[w]hile America has changed, many of our regulations have not. That is one of the purposes of the legislation we will discuss today… The SMART IoT Act will create the first compendium of essentially who is doing what in the IoT space.” If such legislation is proposed and passed, it will greatly impact the work that the CPSC may want to do in connection with IoT and Smart products.
The future of product safety, privacy and liability will be based on whether companies end up doing the right thing in all three of these categories. Stakeholders are encouraged to continue to submit comments on this issue until June 15, 2018 to the CPSC. The Federal Register notice and instructions on submitting comments can be found here.