Security Innovation

IoT and liability: Who pays when things go wrong?

Product liability pertaining to Internet of Things (IoT) devices is uncharted territory, but that will change in a hurry.

Samsung ARTIK SVP explains how to avoid liability from security issues within IoT

Product liability is about to meet the Internet of Things (IoT), and what that means is anyone's guess. Case in point: Who is liable if bad guys hack a home's smart thermostat, turn off the heat in the dead of winter while the owners are vacationing in sunny Florida for two weeks, and the water pipes freeze, flooding the newly remodeled lower level?

SEE: Security researchers' smart home findings may keep you up at night

Product liability is no panacea

Historically, product liability has been a can of worms. The blog post What is Product Liability? on Thomson Reuters' FindLaw website suggests one reason is the lack of federal product-liability laws. The authors add, "Product liability claims are based on state laws and brought under the theories of negligence, strict liability, or breach of warranty."

It's not hard to see ensuring that products meet liability regulations in every state would be quite an undertaking. It also might be why most definitions of product liability are confusing at best--even one of the better descriptions championed by the FindLaw website:

"Product liability refers to a manufacturer or seller being held liable for placing a defective product into the hands of a consumer. Responsibility for a product defect that causes injury lies with all sellers of the product who are in the distribution chain."

IoT complicates product liability

If the definition sounds nebulous, more than a few attorneys who specialize in product liability would agree, especially when devices associated with IoT are considered.

Lucas Amodio, intellectual property attorney at Armstrong Teasdale LLP, in his post Is the Internet of Things Ripe for Product Liability Law?, brings the problem to the forefront, saying, "With hacks in the past where data was compromised, the damage was intangible and hard to quantify. However, it's easier to determine monetary damages when you have real physical damages."

As one might expect, when monetary values can be assigned to liability claims, the blame game get serious. "The question becomes who is ultimately responsible for the interactions of the product," asks Amodio. "And more importantly to the people in the cybersecurity field, who is responsible if a hacker breaches the security to the device and causes damages in the real world?"

The Mason, Hayes, and Curran blog post Untangling the Web of Liability in the Internet of Things raises yet another complication caused by IoT. "Manufacturers of IoT devices, IoT network providers, and IoT software developers need to be aware users may bring claims against one or all of them following a device malfunction or security breach," mentions the post. "It is not clear if the aggrieved IoT user will be required to prove they have suffered damage as a result of an IoT player's actions or if the courts and lawmakers will adopt a 'strict liability' approach."

The Mason, Hayes, and Curran post's authors suggest there may be an alternative where the courts might apportion liability to all concerned parties, including IoT device manufacturers, network providers, and even hackers, if it's within reach of the law and the courts.

SEE: Internet of Things: The Security Challenges (ZDNet/TechRepublic)

Criminal, civil, or both?

As to if and when a liability might be considered a criminal offense instead of civil, the Mason, Hayes, and Curran post suggests that depends on the severity of the liability. For example, the authors imply that malfunctioning automated traffic lights causing a serious accident could raise claims of criminal liability.

In the near future, the authors suggest that a liability case may contain both criminal and civil elements. Their example deals with an automated car crashing into an oncoming vehicle because the automated car's system was not compatible with the city's smart traffic lights. "A situation like this could raise claims of criminal liability," mentions the Mason, Hayes, and Curran post. "However, it appears unfair to hold the car owner/driver responsible for causing injury when the culprit was in part the malfunctioning traffic lights and in part the malfunctioning car."

SEE: Tesla driver dies in first fatality with Autopilot: What it means for the future of driverless cars

Food for thought

The Mason, Hayes, and Curran post concludes that IoT is going to create new risks and a surge in liability litigation. The authors wisely suggest that IoT manufacturers and developers avoid waiting for new liability regulations, and continue to refine IoT security standards and protocols. Companies following that advice will have a competitive edge, while improving user confidence in their IoT products.

Also see

Image: iStock/a-image
Visit TechRepublic