The global supply chain affects everyone. Without a well-functioning supply chain, we lose access to critical food, medicine, technology, and consumer goods that are vital to our everyday lives and survival. As the COVID-19 pandemic spread globally over the past two years, effects on the global supply chain were apparent. Computer chips and semiconductors that once readily arrived at their destinations intact and on time are more frequently delayed,1 and critical medicines, including the COVID-19 vaccine, were spoiled as a result of failures along the “cold chain” to maintain them at the proper temperature.2
July 01, 2022 Feature
The Internet of Things, the Future of Supply Chain, and Emerging Legal Developments
Christopher A. Suarez, Justin G. Castillo, Diana G. Santos, and Ida Wahlquist-Ortiz
These recent challenges have brought supply chain issues to the forefront of the conversation. In those conversations, the Internet of Things (IoT) has increasingly emerged as a key driver of innovation and opportunity in the global supply chain. A recent McKinsey report confirmed that IoT adoption has increased exponentially over the last five years and identifies supply chain as “the largest potential source of value” of all possible IoT applications.3 Meanwhile, the adoption of 5G will expand opportunities for IoT devices to be able to track points along the supply chain with fidelity and to track the flow of goods at higher levels of granularity.4 We are well past the days when items along the supply chain were tracked at the crate or pallet level, and are approaching the point where it will be easier to track individually packaged goods along the supply chain. The impact of geopolitical events—especially the Russian invasion of Ukraine—is also changing our understanding of the risks; one observer recently suggested that the sheer number of supply chains—and its ensuing complexity—is the “supply web.”5
What is the Internet of Things, and why is it so important to the supply chain? According to IBM, “the Internet of Things is the concept of connecting any device . . . to the internet and to other connected devices, . . . all of which collect and share data about the way they are used and about the environment around them.”6 The IoT is made of connected devices that typically include sensors. These sensors can measure and collect data on numerous environmental factors, including location, temperature, rotation, motion, moisture, gas, and so much more. The data that IoT collects are highly relevant to supply chain operations: knowledge of location is vital to understanding where and how goods are moving; temperature data are vital to ensure that goods do not spoil; knowledge of the rotation and motion of goods can be used to understand and reduce risks of breakage; and data on moisture and gas might be relevant to contamination.
When goods are tagged with IoT devices that include one or more of these sensors, the possibilities for data collection are endless and open up the possibility of true end-to-end supply chain visibility.7 It is no surprise that, in light of these opportunities, the Biden administration has recently announced a new pilot initiative to improve data sharing among numerous key stakeholders along the supply chain, including port authorities, businesses, and logistics operators.8 With the use of IoT in the supply chain comes increased opportunities for data collection, optimization, and the use of AI and machine learning that can improve supply chain operations around the globe. We can expect companies and organizations along the supply chain to seize these opportunities, and many have already begun to do so.
Given the ongoing convergence of the IoT and the supply chain, lawyers should be aware of numerous emerging legal developments that will become increasingly relevant. The following sections outline some of these key areas, along with some thoughts as we all address an interconnected supply chain. These include cybersecurity and privacy; intellectual property and standards; international trade; and product safety and labeling.
Cybersecurity and Privacy
Both the security of IoT supply chain data and the privacy of that data will be of vital importance. The IoT has, at times, created security challenges. The process of fixing, upgrading, and patching IoT devices can be “a real nightmare” because they are, among other things, often numerous, widely dispersed, and hard to access.9 It is well-known that IoT devices have frequently been used in connection with Distributed Denial of Service (DDoS) attacks, which exploit security vulnerabilities to overwhelm networks and cause service outages.10 Moreover, supply chain data can be both sensitive and valuable and thereby vulnerable to attack, as shown by the Log4j vulnerability, for example.11 As such, mechanisms need to be put into place to protect the cybersecurity of IoT devices that might be used along the supply chain.
To address these issues, Congress passed the IoT Cybersecurity Improvement Act of 2020.12 The Act applies to the federal government and its contractors and will ensure that IoT initiatives within federal agencies adhere to certain cybersecurity requirements and standards. The law requires that the National Institute of Science and Technology (NIST) develop standards for appropriate use, management, and information security for IoT devices—some of which have already been developed. While the law only applies to the federal government, the government’s broad procurement authority and influence over IoT vendors will help ensure that vendors create and support IoT devices that adhere to the standards set forth by NIST and enforced by agency heads.13 NIST standards and recommendations have already been promulgated that will assist agencies and their vendors consider necessary security requirements for IoT applications that bear on supply chains.
Apart from Congress, the executive branch has also taken an interest in regulating cybersecurity in both the supply chain and IoT contexts. President Biden’s Executive Order dated February 24, 2021, sought to “strengthen the resilience of American supply chains.”14 His May 12, 2021, Executive Order initiated pilot programs to “educate the public on the security capabilities of Internet-of-Things . . . devices and software development practices”15 and imposed requirements on agencies to identify critical software best practices to enhance the security and integrity of software used along the supply chain.16 We can expect more regulations and laws on the cybersecurity front to develop as the IoT becomes more entrenched within the supply chain.
Privacy will also continue to be an important issue. The IoT derives much of its power from the ability to gather, process, and use data. To the extent that IoT devices collect detailed information about the flow of goods in the supply chain, the data might contain sensitive information that could implicate the privacy of individuals involved in supply chain operations or the intended recipient of the goods. While beyond the scope of this article, attorneys will need to continue to monitor relevant global and domestic privacy laws, such as the Global Data Privacy Regulation, the Health Insurance Portability and Accountability Act of 1996, and emerging state privacy laws such as the California Consumer Privacy Act, the Virginia Consumer Data Privacy Act, the Utah Consumer Privacy Act, and other similar laws that may be relevant to certain data collected using the IoT in the supply chain context.
To address these issues, knowledge of the law will be important, but it will also be vital for attorneys to work directly with their company’s or clients’ engineers and technical staff to incorporate cybersecurity and privacy by design into the structure of their technologies. Adopting design frameworks such as “privacy by design” can be useful to proactively embed privacy principles in the design of IoT applications and systems.17 Additionally, topics like risk allocation will become increasingly important. There will be many players in the IoT supply chain, including the IoT vendors themselves, retailers, suppliers, importers, logistics companies, consumers, and so many more—all of which operate in the same supply chain infrastructure. Lawyers need to ask themselves who will bear privacy and cybersecurity risks, and how those risks should be distributed. Lawyers will also need to stay tuned to cultural shifts on society’s expectations for privacy and cybersecurity.18 For now, there is some level of specificity, but these social protections will continue to evolve as society learns more about the issues.
Intellectual Property and Standards
While the cybersecurity and privacy of IoT data collected in the supply chain context will be important, so too will be an understanding of the intellectual property (IP) implications of those data and of the IoT devices that procure them. Because the IoT and its applications involve the collection of data and the use of both hardware and software to collect the data, nearly all forms of IP are implicated by the use of the IoT in the supply chain. Anyone along the supply chain will need to be aware of these applications.
Starting with the data collected using the IoT, collected data can be viewed through multiple IP lenses. Supply chain data can be highly sensitive, business proprietary information that could be helpful to a company that seeks to optimize its supply chain operations. Accordingly, the collection of supply data might be valuable as a trade secret, just as a customer list might be valuable as a trade secret if the data are maintained in a secured system. Additionally, while the copyright laws do not permit copyrighting of facts, the recent Compulife Software v. Newman case in the Eleventh Circuit recently explored whether tactics known as “data scraping” might be actionable under the copyright and trade secret laws.19 One could imagine scenarios where companies might want to provide public windows into supply chain operations over the Internet but that some attempts may be made to improperly scrape or mine those data from the Internet.
Beyond data, the IoT devices, along with the corresponding hardware and software infrastructure, implicate every form of IP. The IoT hardware and systems can be patented, as can the processes used to optimize the use of the data. The source code and confidential documents underlying the system can be copyrighted and deposited with the Copyright Office, but at the same time might be maintained as a trade secret.
Having an understanding of all of these forms of IP is of vital importance, as companies face both risks and opportunities in each form of the IP. Some aspects of the IoT supply chain infrastructure may be well-suited for patent (the hardware and software architecture), while the algorithms that organize and sort data perhaps less so in light of the development of the law that makes certain software inventions patent ineligible under section 101 of the patent code. Copyright might be useful to protect software, but the recent Google v. Oracle decision from the Supreme Court expanded the fair use exception for certain efforts to copy code.20 And trade secret protection might be useful, but with trade secret protection comes the obligation to keep the IP secret. There may be commercial or practical reasons why this might be difficult in the context of an interconnected ecosystem involving numerous interested stakeholders that must interact and interoperate.
Lest we forget, interoperability is fundamental to an interconnected supply chain and opens up additional IP issues. With interoperability comes the need for standards, including standardized networks that support network interconnectivity (such as 4G/5G), as well as standards that promote data aggregation and sharing as appropriate. These standards might be subject to Standard Essential Patents (SEPs), which are patents that are critical to using a particular standard and might require a license.21 Industries that implement IoT in the supply chain will need to be prepared to address the role that SEPs might play in the context of their IP strategy. Overall, lawyers will need to address and understand the vision they or their clients have for IP in the context of their supply chain operation.
Logistics and International Trade Issues
International trade issues will also be highly relevant to any discussion of IoT and the supply chain. This topic overlaps somewhat with the IP issues discussed above because the International Trade Commission (ITC) has jurisdiction over articles imported into the United States that infringe patents or copyrights, for example.22 But beyond the ITC and IP, lawyers should generally familiarize themselves with other international trade issues. For example, export controls might place restrictions on how items or materials can be shipped and may place constraints on the use of the IoT in the supply chain in certain situations. As one recent example, the Uyghur Forced Labor Prevention Act establishes restrictions on placing goods into the supply chain that were derived from forced labor in China,23 and the IoT could perhaps be used to identify and remove such goods from the chain. Some countries’ laws may be more supportive of the use of IoT applications in the supply chain than others. Similarly, breakdowns in the supply chain or the use of the IoT and the supply chain may depend on the regulatory and telecommunications infrastructures of various countries along the chain.
Contracting and Risk Allocation
The IoT and supply chain also can raise challenges to contracting and risk allocation to the contracting process. Threats such as Log4j vulnerability now make it possible for a threat to jump from a supplier’s network to yours. This places a premium on assessing, understanding, and documenting your suppliers’ approaches to supply chain management; propagating best practices to supply chain security throughout those suppliers; and ensuring that you have contract provisions in place that require suppliers to notify you and take appropriate remedial action if and when there are vulnerabilities and exploits that could affect your company’s (or your customers’) systems. These efforts are important because, for example, the extent to which a company reduces and mitigates risks within its ecosystem affects a company’s ability to obtain cyber insurance.24 The accumulated risk within a company’s ecosystem may lead to restrictions on the type and amount of coverage available, which is already becoming more and more limited despite an increase in premiums.25
Product Safety and Labeling
Other laws that are relevant to the IoT and supply chain relate to product safety and labeling. Several U.S. laws are seeking to protect the integrity of food and medicine transported along the supply chain, including the Food Safety Modernization Act of 2011 and the Drug Supply Chain Security Act of 2013 in the United States, and the Falsified Medicines Directive and European Green Deal in Europe.26 These laws will impose requirements for tracing product movement and recording data relating to those products along the supply chain. For reasons discussed above, the IoT and its sensors are going to be incredibly useful for compliance with these laws. As one example, the Drug Supply Chain Security Act requires product tracing by dispensers in the drug supply chain at the package level by 2023, requiring “product tracing information” to be exchanged at each point along the chain. IoT sensors will be invaluable for this purpose, and they will also be valuable for tracking critical temperature and other data needed to preserve medicines along the chain, such as the “cold chain” needed for vaccines discussed above. As the IoT enables possibilities for additional tracking and tracing of variables that might promote public health and safety of consumer goods, we might expect to see additional laws and regulations that would promote efforts to collect additional data along the supply chain, consistent with the dictates of the Drug Supply Chain Security Act.
Looking Toward the Future
The supply chain of the future will inevitably be one that is interconnected using the IoT. As with any emerging technological innovation or trend, this presents exciting opportunities, but it creates some risks as well. The proliferation of 5G will make connectivity more ubiquitous and consistent and provide new opportunities for supply chain data collection and analysis. The increased use of satellites and other technologies might open up further opportunities. Questions will arise about where to host the IoT supply chain infrastructure; who should be responsible for hosting shared data, and who has access rights to the data; and whether they are used to train artificial intelligence or for other purposes. Additionally, automation will increasingly enter the conversation. With the advent of connected cars and radio-controlled drones, we may reach a point where goods proliferate through the supply chain with minimal human intervention or interaction. Apart from using the IoT to just “tag” and sense the characteristics of objects, therefore, the IoT can be used to completely transform the ways in which objects move along the chain. There is also a great opportunity for IoT to be critical in the creation of a better world by improving environmental, social, and governance reporting through the collection and analysis of data.27 The technological advancement of IoT will raise interesting ethical and legal questions about how we as a society want the supply chain to function, and what role all of us play within it. In this article, we have attempted to identify only some of the legal areas that will be implicated by these trends, and others will certainly arise. As the legal frameworks develop, we should continue to be mindful of the impact the law will have on successful deployments of IoT in the supply chain.
Endnotes
1. Tarek Sultan Al Essa, 5 Ways the COVID-19 Pandemic Has Changed the Supply Chain, World Econ. F.: Davos Agenda 2022 (Jan. 14, 2022), https://www.weforum.org/agenda/2022/01/5-ways-the-covid-19-pandemic-has-changed-the-supply-chain.
2. Pranav Baskar, What Is a Cold Chain? And Why Do So Many Vaccines Need It?, NPR (Feb 24, 2021), https://www.npr.org/sections/goatsandsoda/2021/02/24/965835993/what-is-a-cold-chain-and-why-do-so-many-vaccines-need-it.
3. Michael Chui & Mark Collins, IoT Comes of Age, McKinsey Podcast (Mar. 7, 2022), https://www.mckinsey.com/business-functions/mckinsey-analytics/our-insights/iot-comes-of-age.
4. How the Use of 5G in Supply Chain Operations Can Prevent Future Disruptions, Verizon: News Ctr. (Mar. 10, 2022), https://www.verizon.com/about/news/impact-of-5g-in-supply-chain.
5. “As companies build more factories, in more locations, and buy parts and materials from a greater diversity of suppliers, the world’s supply chains are becoming more like supply webs.” Christopher Mims, How Sanctions on Russia, War in Ukraine and Covid in China Are Transforming Global Supply Chains, Wall St. J. (Mar. 26, 2022), https://www.wsj.com/articles/how-sanctions-on-russia-war-in-ukraine-and-covid-in-china-are-transforming-global-supply-chains-11648267248?mod=Searchresults_pos5&page=1.
6. Jen Clark, What Is the Internet of Things (IoT)?, IBM (Nov. 17, 2016), https://www.ibm.com/blogs/internet-of-things/what-is-the-iot/#:~:text=In%20a%20nutshell%2C%20the%20Internet,and%20to%20other%20connected%20devices.
7. Robert J. Bowman, Watch: Why the IoT Is Key to Supply Chain Visibility, SupplyChainBrain (Dec. 13, 2021), https://www.supplychainbrain.com/articles/34236-watch-the-iot-key-to-supply-chain-visibility.
8. Press Release, White House Briefing Room, Fact Sheet: Biden-Harris Administration Announces New Initiative to Improve Supply Chain Data Flow (Mar. 15, 2022), https://www.whitehouse.gov/briefing-room/statements-releases/2022/03/15/fact-sheet-biden-harris-administration-announces-new-initiative-to-improve-supply-chain-data-flow.
9. Fredric Paul, Fixing, Upgrading and Patching IoT Devices Can Be a Real Nightmare, Network World (Sept. 7, 2017), https://www.networkworld.com/article/3222651/fixing-upgrading-and-patching-iot-devices-can-be-a-real-nightmare.html.
10. Scott Ikeda, IoT-Based DDoS Attacks Are Growing and Making Use of Common Vulnerabilities, CPO Mag. (Mar. 25, 2020), https://www.cpomagazine.com/cyber-security/iot-based-ddos-attacks-are-growing-and-making-use-of-common-vulnerabilities; see also H.R. No. 116-501, 116th Cong (2d Sess. 2020) (“In 2016, internet access was denied for millions on the East Coast due to a distributed denial of service attack facilitated by hundreds of thousands of unsecured IoT devices. Device vulnerability can pose a threat to the Federal Government because these devices can serve as gateways to accessing and launching cyberattacks.”).
11. Log4j Explained: How It Is Exploited and How to Fix It, CISO Mag. (Dec. 17, 2021), https://cisomag.eccouncil.org/log4j-explained.
12. IoT Cybersecurity Improvement Act of 2020, Pub. L. No. 116-207, 134 Stat. 1001.
13. Some of the NIST standards have already been developed. See, e.g., Michael Fagan et al., NIST SP 800-213, IoT Device Cybersecurity Guidance for the Federal Government: Establishing IoT Device Cybersecurity Requirements (Nov.2021); Michael Fagan, Katerina N. Megas, Karen Scarfone & Matthew Smith, NISTIR 8259, Foundational Cybersecurity Activities for IoT Device Manufacturers (May 2020); Michael Fagan et al., NISTIR 8259B, IoT Non-Technical Supporting Capability Core Baseline (Aug. 2021).
14. Press Release, White House Briefing Room, Executive Order on America’s Supply Chains (Feb. 24, 2021), https://www.whitehouse.gov/briefing-room/presidential-actions/2021/02/24/executive-order-on-americas-supply-chains.
15. Cybersecurity Labeling for Consumers: Internet of Things (IoT) Devices and Software, NIST, https://www.nist.gov/itl/executive-order-improving-nations-cybersecurity/cybersecurity-labeling-consumers-internet-things; Exec. Order No. 14028, 86 Fed. Reg. 26633 (May 17, 2021).
16. Improving the Nation’s Cybersecurity: NIST’s Responsibilities Under the May 2021 Executive Order, NIST, https://www.nist.gov/itl/executive-order-improving-nations-cybersecurity
17. Ann Cavoukian, Privacy by Design: The 7 Foundational Principles, IAPP (rev. Jan. 2011), https://iapp.org/resources/article/privacy-by-design-the-7-foundational-principles.
18. Colleen Walsh, Fixing the Internet Will Require a Cultural Shift, Harv. Gazette (May 28, 2021), https://news.harvard.edu/gazette/story/2021/05/fixing-the-internet-requires-cultural-shift-says-fran-berman.
19. 959 F.3d 1288 (11th Cir. 2020).
20. Google LLC v. Oracle Am., Inc., 141 S. Ct. 1183 (2021).
21. Analysis of Patents, SEPs and Standards in the Smart Healthcare Sector, IAM (Mar. 16, 2022), https://www.iam-media.com/frand/analysis-of-patents-seps-and-standards-in-the-smart-healthcare-sector.
22. See 19 U.S.C. § 1337(a).
23. Press Release, Antony J. Blinken, Sec’y of State, The Signing of the Uyghur Forced Labor Prevention Act (Dec. 23, 2021), https://www.state.gov/the-signing-of-the-uyghur-forced-labor-prevention-act.
24. What’s Trending in Cyber Insurance?, Marsh, https://www.marsh.com/us/services/cyber-risk/insights/cyber-insurance-market-update-q1-2022.html.
25. Tom Johansmeyer, The Cyber Insurance Market Needs More Money, Harv. Bus. Rev. (Mar. 10, 2022), https://hbr.org/2022/03/the-cyber-insurance-market-needs-more-money.
26. Vishal Gaur, Bringing Blockchain, IoT, and Analytics to Supply Chains, Harv. Bus. Rev. (Dec. 21, 2021), https://hbr.org/2021/12/bringing-blockchain-iot-and-analytics-to-supply-chains. See FDA Food Safety Modernization Act, Pub. L. No. 111-353, 124 Stat. 3885 (2011); Drug Quality and Security Act, Pub. L. No. 113-54, 127 Stat. 587 (2013); Falsified Medicines Directive 2011/62/EU, 2011 O.J. (L 174) 74; A European Green Deal, European Comm’n, https://ec.europa.eu/info/strategy/priorities-2019-2024/european-green-deal_en.
27. Andrew Bruce, The Next Wave of Automation: ESG Data, Forbes (May 7, 2021), https://www.forbes.com/sites/forbestechcouncil/2021/05/07/the-next-wave-of-automation-esg-data/?sh=3257153930dd.