Untangling the Web of Liability in the Internet of Things
19 May 2016
Over the last few years, the Internet of Things – known as the IoT – has taken the technology sector by storm. Although there is no hard and fast definition, digital devices with internet access that connect to other devices form the building blocks of the IoT. Gartner forecasts that 6.4 billion connected ‘things’ will be in use this year and this number is set to grow. Despite its scale, a lot of IoT technology is still in its infancy. Given the possibility of device and network vulnerabilities, many businesses and consumers are trying to understand liability and risk allocation in the IoT.
The promise of the IoT
The IoT promises smart cars, smart kitchens and smart home devices, among other things. Users usually control the various connected devices on the network using an app on their phones or tablets. However, like any technology, the connectivity of the IoT network and the devices themselves have the potential to malfunction or be hacked. This risk is even more prevalent when some manufacturers appear to be taking the approach of release first and fix problems later. The question is who is liable when something goes wrong?
Web of liability
It is important to untangle the IoT web of liability now, as by 2017 there will be more connected devices in circulation than humans on the Earth. Users of the IoT and manufacturers cannot afford to enter into the IoT world unprepared.
Two of the main areas where liability can arise in the IoT are:
- device malfunction; and
- cyber-attacks and theft of personal data stored on the device or network.
As the IoT can connect devices from different manufacturers, it is possible for a user to own a smart fridge from manufacturer A, a smart coffee machine from manufacturer B, and a smart vacuum cleaner from manufacturer C, which are all controlled by a smart phone from manufacturer A that runs IoT software created by a third party software developer. The IoT’s reliance on a complex chain of connected devices makes it much harder to establish who is liable under traditional laws and regulations when something goes wrong. But even at its most simple level, if a smart toaster overheats and burns down a house, the homeowner has a range of potential candidates who he or she can claim are liable for the homeowner’s loss. These range from the retailer, to the toaster manufacturer through to the developers of the phone app or toaster software. Will one party be wholly accountable? Or will the parties involved in creating and processing the integrated data components of the toaster be liable to some extent?
The risks with interoperability are heightened as many device manufacturers do not have experience designing secure computer networks or implementing security protocols on devices. Many devices are also likely to be mass produced and therefore too cheap or not complex enough to include appropriate security measures to protect personal data they store or process.
The situation with product liability is simpler today. When a stand-alone consumer device is faulty or malfunctions within a specified period of time, the user is entitled to certain remedies that are implied into every sale. Under product liability law in Ireland, this includes the entitlement to a repair, replacement or refund from the seller. Product liability will continue to play a role in the IoT. For example, if a smart watch develops a mechanical fault shortly after purchase the user will be able to return it to the seller.
Degree of liability
Manufacturers of IoT devices, IoT network providers and IoT software developers need to be aware that users may bring claims against one or all of them following a device malfunction or security breach. It is not clear if the aggrieved IoT user will be required to prove that they have suffered damage as a result of a IoT player’s actions or if the courts and lawmakers will adopt a ‘strict liability’ approach.
An alternative approach is for the courts and legislators to consider apportioning liability between everyone involved in the IoT product and network chain, regardless of their culpability. But this is not as simple as it sounds. For example, in the case of an IoT data breach or security hack of a network router, a court would have to decide if liability lies with the router manufacturer, the internet service provider or the actual hacker. The final option may not even be practical as many hackers reside outside the reach of the law and the courts.
Criminal or civil remedies
In many cases it is also not clear whether an aggrieved user is entitled to a criminal remedy, a civil remedy or both. It is likely that the answer will depend on the severity of the liability. For example, a mere malfunction of a smart fitness monitor, leaving the user unable to measure their heart rate at the gym, is not likely to give rise to a civil or criminal conviction.
On the other hand, a smart city malfunction could create both criminal and civil liability. For example, if smart traffic lights installed by the local council malfunction, and an automated car driving under them is incompatible with the traffic lights meaning that the car fails to stop and drives into an oncoming vehicle, the result could be serious injury to road users. A situation like this could raise claims of criminal liability. However, it appears unfair to hold the car owner/driver responsible for causing injury when the culprit was in part the malfunctioning traffic lights and in part the malfunctioning car. In this type of situation, looking outside the traditional liability frontiers may be required.
IoT is still a work in progress
Regardless of the nature of the IoT device or network, or how they are used, there is always the potential for a device to malfunction or for a network to be hacked. The IoT will create new risks and this in turn will require a focus on liability. Lawmakers and regulators will need to consider either new forms of liability, or new ways to manage and apply existing laws to different entities in the IoT supply chain. With the security and privacy risks at the fore of the public’s mind, the IoT is still a work in progress. Gartner predicts that security of the IoT will be ‘maximised’ by 2020. But liability won’t wait until 2020. It is therefore critical that IoT manufacturers and developers do not wait for guidance from regulators but continue to refine and improve IoT security standards and protocols. This will provide them with a competitive advantage while at the same time improving user confidence in the IoT.
The content of this article is provided for information purposes only and does not constitute legal or other advice.