chevron-down Created with Sketch Beta.
June 04, 2019 Feature

Liability for the Internet of Things

By Bethany Corbin

The Internet of Things (IoT) is revolutionizing sectors of the American economy, with experts predicting that the number of connected devices will exceed 31 billion by 2020. As the name suggests, IoT refers to a network of smart devices that collect and transfer data through wireless infrastructure. These devices contain embedded sensors that measure and exchange data without human interaction, allowing the data to be subsequently analyzed for trends, insight, and intelligence.

Over the years, connected devices have transformed how humans interact, work, play, and manage their homes and health. However, as connected device capabilities expand, the risk for privacy and security breaches, hacks, and hijacks increases exponentially, exposing end users to financial and personal harm. The heightened risk associated with IoT products brings into focus a crucial question: which parties bear liability when “things” go wrong? This article addresses concerns for applying existing tort liability structures to IoT devices and explores strategies for mitigating liability risks.

IoT Liability: Drawbacks to Traditional Tort Doctrines

Because electronic communication devices are “products,” it is natural to assume that damages resulting from IoT device vulnerabilities, insecure code, and design defects will be remedied through traditional tort doctrines, including products liability (i.e., the culpability of a manufacturer or seller whose goods or products injure consumers), negligence (i.e., breach of a duty of care), and breach of warranty. These traditional principles, however, may be ill-fitted to remedy harm from IoT defects, given the unique and complex nature of IoT devices. This has caused experts and scholars to question whether IoT will “reshape the law of products liability.” Mauricio Paez & Mike La Marca, The Internet of Things: Emerging Legal Issues for Business, 43 N. Ky. L. Rev. 29, 57 (2016). While most IoT cases are currently stalled at the motion to dismiss stage, courts eventually will be expected to apply tort principles to remedy harm caused by IoT device breaches and hacks. The application of products liability to IoT devices, however, is imperfect, and both plaintiffs and device manufacturers should consider the following challenges when bringing and defending IoT tort actions.

First, IoT devices present unique liability challenges because their complex and lengthy supply chains make it difficult to apportion liability. It is unclear where along the supply chain liability will fall for a malfunctioning device. Unlike traditional products, which have relatively limited manufacturing processes, IoT devices involve numerous manufacturers, developers, suppliers, coders, and sellers. Without a clear demarcation of liability along this chain, it is difficult for parties to predict litigation risks, and for courts to properly assign blame and penalties. While some parties may attempt to allocate liability contractually, strict liability for product defects cannot be transferred by contract. See Benjamin C. Dean, An Exploration of Strict Products Liability and the Internet of Things, Center for Democracy & Tech. 1, 21 (Apr. 2018). The inability to contractually assign strict product liability combined with the uncertainty of where liability may fall on the supply chain may cause manufacturers to exit the IoT industry if courts rely on traditional products liability standards alone.

Second, products liability remedies can fail to offer sufficient relief to consumers for injuries related to malfunctioning IoT devices. Products liability is limited by the economic loss doctrine, which prohibits tort actions for purely financial harm. Depending on the industry, financial harm may be the only injury suffered by consumers, which eliminates the possibility of tort recovery. Further, consumers face an uphill battle to prove that missing security features or design flaws alone caused the claimed damage. Most IoT injuries currently are caused by the intervening acts of a third party (e.g., hacker), even though insecure code within the IoT device may have permitted the hacker to compromise the product initially. It is unclear how courts will apportion liability in these instances between the IoT supply chain and the hacker.

Finally, with respect to design defect claims premised on insecure code, plaintiffs face the inherent drawback that no code is universally secure. Consumers will have difficulty establishing that a device’s code and accompanying security procedures are inherently less safe than those of alternative products currently on the market. Indeed, estimates suggest that programmers make 10 to 50 coding errors for every 1,000 lines of code. See Dean, supra, at 7. Additionally, for negligence claims, plaintiffs will be hard pressed to define a standard of care owed by the device manufacturers, particularly given the widespread recognition of inherent code vulnerabilities and the lack of federal cybersecurity regulations and standards.

As cases proceed through the court system, it is only a matter of time before the judiciary is tasked with applying longstanding tort principles to new technological devices. Traditional products liability notions will be challenged with IoT device litigation and may result in redefined or updated tort liability standards to reflect greater symmetry between digital products and liability principles. For now, more questions than answers exist regarding liability for IoT devices, which may force both plaintiffs and defendants to think outside the box as these types of cases progress.

Mitigating Risk with Insurance and Cybersecurity Best Practices

Given the increasing liability concerns for IoT devices, manufacturers should consider mitigating future liability risks with insurance and cybersecurity best practices. For claims that allege harm from the routine use of an IoT product, liability coverage may be found in general liability policies. See Catherine Serafin, A Policyholder’s Guide to IoT Claims Coverage, Risk Management (Feb. 1, 2018), Manufacturers should review their general liability policies to ensure such liability is not omitted through a specific exclusion. Further, IoT software manufacturers and coders may also consider obtaining technology errors and omissions (E&O) insurance. Technology E&O policies are a type of professional liability insurance that cover claims arising from negligence or wrongful acts in rendering professional technological services or providing technology products. See id. Finally, given that IoT devices interact across wireless networks, manufacturers should weigh the costs and benefits of purchasing cyber liability coverage.

In addition to obtaining proper insurance coverage, it is advised that manufacturers adhere to best practice cybersecurity standards when creating their devices, even if such standards are not yet mandatory. Industry organizations have published voluntary cybersecurity frameworks that are updated continuously to help ensure consumer safety. These frameworks represent a collective effort to define best-practice standards in an area that is not only constantly evolving but also lacks comprehensive federal regulation. At the same time, these industry frameworks incorporate flexibility to adapt to different organizational structures. By implementing best practice standards and/or adopting an industry cybersecurity framework (e.g., National Institute of Standards and Technology, Health Information Trust Alliance, International Organization for Standardization, etc.), manufacturers can build defenses for potential future claims of negligence based on a failure to adhere to appropriate standards of care. Accordingly, while the future of liability for IoT devices remains uncertain, manufacturers, suppliers, and coders can take valuable steps now to help mitigate risk.

The material in all ABA publications is copyrighted and may be reprinted by permission only. Request reprint permission here.

By Bethany Corbin

Bethany Corbin is a complex litigation and regulatory compliance attorney with Wiley Rein LLP in Washington, D.C. She is a certified information privacy professional (CIPP/US) and currently serves as the representative from the Young Lawyers Division to TIPS’s Cybersecurity and Data Privacy Committee. She may be reached at [email protected].