The "Internet of Things" Is Primed for a Litigation Explosion: Could It Impact You?
The “Internet of Things” (IOT) refers to devices that can connect to and exchange information with the internet. This includes the devices we traditionally think of as having internet connectivity, such as laptops and smart phones, and as technology advances, the list of items joining the IOT continues to grow. Televisions, cars, medical devices, home systems (e.g., doorbell cameras, door locks, garage door openers, lighting, and media systems), and even refrigerators are now internet capable. Some studies suggest the IOT devices currently in circulation exceed 8 billion, and that number is expected to grow to over 20 billion by 2020.
As the volume of internet-capable devices grows, so does the risk of criminals finding new and different ways to exploit vulnerabilities. Imagine not just the possibility of your personal information being compromised by a data breach but the potential for an individual in a foreign nation to remotely threaten bodily injury if you fail to pay a digital ransom by hacking into your medical device, car, or house. Imagine further the potential legal implications of such “cyber-physical” breaches for developers, manufacturers, and retailers of those products.
To date, these cases have been relatively few and far between. However, a few recent cases and legal insights from prominent class-action firms that deal in the cyber realm suggest the IOT may be on the brink of a litigation explosion.
For example, in March, Standard Innovation Corp. entered into a $3.75 million settlement arising from privacy claims relating to an internet-connected intimate device sold by the company. The class-action lawsuit alleged the company improperly collected highly personal data on the product’s users without the users’ knowledge or consent.
In July, a federal court in Illinois partially certified a class of plaintiffs in a lawsuit involving an alleged hacking vulnerability in the Infotainment centers of certain Dodge and Jeep vehicles. The plaintiffs in that case allege the vulnerability could allow hackers to remotely access and issue commands to the vehicles.
Plaintiffs’ counsel and cybersecurity professionals suggest these sorts of vulnerabilities are widespread among IOT devices. One such plaintiffs’ counsel whose firm operates its own forensic lab to test IOT devices recently stated that numerous devices are subject to relatively simple hacks that any reasonably intelligent individual with basic computer knowledge could pull off.
Clearly this issue is of interest to just about everyone. We all have numerous IOT devices in our personal and professional lives––and the sorts of data these devices are transmitting or collecting and what the devices could be remotely directed to do concern us all. For those businesses that are or may be connected (no pun intended) to the development, sale, or use of IOT devices now or in the future, there is yet another layer of cyber risk that must be considered and addressed.
Anyone who has dealt with a ransomware attack can vouch for the disruption, stress, and expense associated with these attacks. What if instead of simply threatening your data, a cybercriminal was threatening to shut down the monitoring of IOT medical devices or, even worse, disable such devices altogether?
Who might be liable if a hacker accesses the software controlling a pacemaker and threatens to stop the device or alter it in a way that causes injury or death to the patient? The device manufacturer? The distributor? The hospital where the device was implanted? The doctor who implanted it?
What about a scenario where a hacker remotely causes a car to suddenly shut down, stop, or swerve in the middle of highway traffic? Is the software developer responsible? The car manufacturer? The local dealership? The driver?
These questions and many others concerning the IOT remain to be answered. Industry experts and regulatory agencies such as the Federal Trade Commission acknowledge the need for reasonable security standards for IOT devices—but also recognize that perfect security is not possible and that there must be room within any regulatory scheme for innovation. As a result, the IOT continues to grow unchecked by substantial regulation or even by agreed upon industry standards.
Regardless, as the IOT continues to grow, it presents a thorny field of legal issues that will need to be answered for the first time by a court or lawmakers and that should undoubtedly be thought about and assessed before your company sees them asserted against it in a lawsuit.
If you have any questions regarding the information provided in this alert, please contact Nick DiCesare, cybersecurity team leader, at firstname.lastname@example.org.