Program Overview: What Your Company Needs to Understand to Stay Ahead of the Competition Companies are exponentially expanding their use and production of connected products and technologies. It is estimated that in 2021, 22.5 billion IoT devices will be shipped globally. With that growth comes a litany of legal challenges. We will discuss the scope of the IoT landscape and address some of the critical legal areas for companies using or selling IoT products, including: Data privacy and security risks associated with use of IoT devices, The tension between engineering and marketing departments' desire to retain and mine IoT data and the legal risks of accessing, aggregating, and storing the data, Product liability and other legal issues arising from IoT devices on product liability claims, and the ever changing landscape of industry specific regulatory requirements.

1. Legal Risks of Operating in
the World of Connected
Technologies (IoT)
Business Law Training
April 12, 2018
Linda Emery Heather Buchta

2. -2-
What is the Internet of Things?
 It's not new – term was first used in the late 90's
 "ubiquitous ecosystem of sensors and connected
devices"
 "cyber physical systems"
 "system of systems"
 "smart systems that include co-engineered
interacting networks of physical and computational
components"
 "internet-enabled appliances to an existing
infrastructure of computers and mobile devices"

3. -3-
What is it really?
 "interconnection of computing devices embedded in
everyday objects via the Internet to send and receive
data"
 "sprawling set of technologies and use cases that has
no clear, single definition"
 Device + software + connectivity + big data = IoT

4. -4-
What is the Internet of Things?
 Over 26 Billion
by 2020
 Smart Home
 Connected
Health
 Connected
Cars
 Connected
Industrial

5. -5-
Five Largest Categories
 Connected Vehicles
 Connected Health Care Devices
 Connected Homes
 Industrial internet (transportation, oil & gas, and
healthcare)
 Vehicles

6. -6-
What does it look like?

7. -7-
Why the sudden rise?
Computing power
Bandwidth
Cheap data storage

8. -8-
Why is it different?
 Functionality
 It's "smart"
 Functions/processes without being told
 Communications capability
 Creates risk and security vulnerabilities
 Intellectual property
 Embedded software – copyrights and patents
 Laws favor the author/inventor/developer
 Who owns data??
 Result is complexities in implementation and
development

9. -9-
Legal Risks
Regulatory
Data Privacy
Data Security
Product Liability
Industry Self-Regulation

10. -10-
What's at Risk
 Damage to Reputation & Loss of Goodwill
 Investigations and Incident Response
 Legal Fees, Notification Costs, Call Centers
 Loss of Competitive Advantage
 Lost Sales, Revenues & Profits
 Lawsuits/Class Actions
 Regulatory Fines

11. -11-
Federal Trade Commission (FTC)

12. -12-
FTC Recommendations
 FTC Recommendations for Data Security and Privacy
Practices When Selling Connected Products
 https://www.ftc.gov/system/files/documents/reports
/federal-trade-commission-staff-report-november-
2013-workshop-entitled-internet-things-
privacy/150127iotrpt.pdf

13. -13-
IoT is a Team Sport
Multidisciplinary Team. The FTC recommends the
company’s
 Hardware designers and engineers
 Software and app developers
 IT security personnel
 Legal and compliance
 HR
 Marketing

14. -14-
Security By Design
 Security By Design. Companies need to include
security by design, not as an after thought
 Don’t Assume Safety: Product design should not assume
safety of a customer’s home network
 Testing: Test the security of devices before launching a
product

15. -15-
Risks During Product Testing
 Third Party Products. Check for vulnerabilities in
third-party components integrated into your
products.
 Relock Doors. Verify that if you turn off security
measures during testing, you switch them back on
before going live.
 Back Doors. Check whether you have closed back
doors through which hackers could access
information or gain control of the device.

16. -16-
Multiple Levels of Security
Multiple Levels of Security. Companies should
identify significant risks within their systems at
every level
Implementing security measures at several
levels
Identify security soft spots

17. -17-
Data Mapping and Collection
 What Data is Collected: Inventory of Information. If a
device collects and transmits data, have an up-to-
date inventory of the kinds of information in your
possession.
 Why are you Collecting It?
 Where are you storing it?
 How are you storing it? – Combinations of PII and
Connected Data?
 How long are you storing it?

18. -18-
Best Practices
 An understanding of where your data is held
 Clear privacy policy which you follow
 Strong IT and product security practices
 A data breach plan and team
 High engagement by the Company on privacy issues
on an enterprise-wide basis

19. -19-
Consumer Product Safety Commission
(CPSC)
 CPSC “impute[s] to the subject firm knowledge of
product safety related information received by an
official or employee of a subject firm capable of
appreciating the significance of the information.”
 Does the data collected by connected devices
constitute “knowledge of product safety related
information?”
 If a manufacturer chooses not to analyze information
available to it, can it then claim it was not “capable of
appreciating the significance” of isolated reports?

20. -20-
Homeland Security Report
Traditional product
liability law can be
expected to apply
Liability for inadequate
attention to security

21. -21-
DHS Report
 Manufacturers should design with worst-case
scenarios in mind. “Developers should build IoT
devices to fail safely and securely, so that the failure
does not lead to greater systemic disruption.”
 IoT devices should be designed so they can be
updated if security flaws are found. “In the absence
of the ability to deploy security updates,
manufacturers may be faced with the decision
between costly recalls and leaving devices with
known vulnerabilities in circulation.”

22. -22-
Medical Devices
 By 2020, 40% of IoT-related technology will be health
related – more than any other category
 Expect uptick in medical device litigation
 “Where manufacturers, healthcare providers and
consumers see innovation, functionality, integration
and an all-around more capable product, plaintiffs’
firms see potential failure on a mass basis and dollar
signs.” MEDICAL DEVICE LITIGATION The “Internet of
Things” Is Coming: 11 No. 3 In-House Def. Q. 26

23. -23-
Food & Drug Administration
 Food and Drug Administration issued final guidance
regarding the need for post-market management of
cybersecurity in medical devices
 https://www.fda.gov/downloads/MedicalDevices/Dev
iceRegulationandGuidance/GuidanceDocuments/UC
M482022.pdf

24. -24-
Food & Drug Administration
 January 2016, the FDA released draft guidance for
post-market management of cybersecurity in medical
devices.
 Developer to address cybersecurity throughout the
product life cycle, including the design, development,
production, distribution, deployment, and
maintenance.
 Cybersecurity risks to medical devices are evolving
and therefore it is not possible to completely mitigate
risks through premarket controls alone.

25. -25-
National Highway Traffic Safety
Administration
Federal Automated Vehicles Policy
https://www.nhtsa.gov/sites/nhtsa.dot.gov/files/federal_automated_vehicles_policy.pdf
Federal Motor Vehicle Safety Standards for
Automated Vehicles

26. -26-
Autonomous Vehicle Laws
 Some states have
specific laws covering
autonomous vehicles:
District of Columbia,
California, Florida,
Michigan, Nevada,
North Dakota and
Tennessee.

27. -27-
NIST Guidelines
 Require compliance with NIST Guidelines
https://www.nist.gov/cyberframework
 Framework for Improving Critical Infrastructure
Cybersecurity, National Institute of Standards and
Technology, February 12, 2014 (Version 1.0)
 Currently on draft version 2 of Version 1.1

28. -28-
Underwriters Laboratory
 UL 2900 - Cybersecurity Assurance Program (CAP) UL
2900 is not a standard. It is an outline for the
eventual development of a standard.
 Requirements regarding the vendor’s risk
management process for its product.
 Designed to help vendors minimize cybersecurity
risks by assessing software vulnerabilities, minimize
exploitation, address known malware, review security
controls, and increase security awareness.

29. -29-
IoT Product Liability Risks

30. -30-
Software and Sensors
Software and sensors are critical component
parts suppliers in IoT
They are both “component parts suppliers”
Significant product liability exposure

31. -31-
IoT Product Claims
Was the misuse,
modification or
manipulation foreseeable?
Who is at fault?: The hacker,
the manufacturer, the
software provider, the
sensor manufacturer or the
owner who failed to
properly secure the
product?

32. -32-
3 Product Liability Issues With IoT
Product failure
Security breach
Data destruction, manipulation, or alteration

33. -33-
Risk 1: Product Failure
 Product malfunction which causes personal injury or
property damage
 Nest: Nest thermostat suffered a software
malfunction, drained the battery and shut down the
Nest device
 Harm: Cold homes, water pipe damage, and concerns
about infants exposed to cold temperatures
 Lawsuit: Although Nest fixed the problem, a law firm is
looking for plaintiffs for personal injury or property
damage lawsuits

34. -34-
Risk 2: Security Breach
 Claims of physical injury caused by a hack or other
security breach
 Jeep: White Hat Hackers remotely accessed a Jeep’s
controls through the vehicle’s communications
system
 Result: Chrysler recalled 1.4 million vehicles in 2015
 Legal: Subject of a government investigation

35. -35-
Risk 3: Data Alteration
 An IoT product/server is hacked and personal data
downloaded and used by hacker
 California Hospital: suffered a Denial of Service Attack in
2016. Hackers held the hospital’s IT system hostage for
10 days
 Result: Hospital paid hackers 17,000 bitcoin for
encryption key
 Legal Risk: Critical patient care services would be
compromised. Medical records could have been altered
and devices, such as infusion pumps for chemotherapy,
would become vulnerable to dosage manipulations.

36. -36-
Who is Liable for IoT Losses?
Software developer
Sensor manufacturer
Manufacturer
Retailer
Consumer

37. -37-
Who Is At Fault?
 Artificial Intelligence: Computer algorithms decide
vehicle actions
 Auto-crash cases: Move from human negligence to
product-liability claims
 When manufacturers’ algorithms – created months
and years in advance – can make driving decisions
that may have life and death implications.

38. -38-
Open Issues
 Harder to investigate
 More difficult to prove liability
 New types of experts to investigate?
 Products themselves will give much more information

39. -39-
Discovery and Experts
Software issues make discovery more
complicated
Need for experts regarding both software and
hardware

40. -40-
Software Developers
Software developer for an IoT product is likely
vulnerable to claims
Developers are used to speed to market as the
benchmark
Solution: Privacy (and safety) by design

41. -41-
Software Vendors
 Software licensors will not be protected against third-
party injury claims
 Many software vendors:
 don’t understand their product liability exposure to claims
for bodily injury and property damage caused by third
parties; or
 have failed to provide for such exposures in their
agreements
 Software vendors won’t be protected merely by
contracts with the manufacturers of the end products

42. -42-
Consumer Responsibility
What if the consumer
fails to update their
software or a password?
What if the customer
downloads malware?

43. -43-
Failure to Warn
Liability may exist if a manufacturer of a
product knew or should have known of a
potential danger and failed to give adequate
directions or warnings of a potential danger
Connected devices may provide manufacturers
more metrics and information about their
connected devices and the manner in which
they are being used

44. -44-
Big Data Risk
We are retaining massive volumes of data
Retained information may impact the
manufacturer’s duty to warn
When manufacturing and marketing new
products, companies need to determine what
information is important to retain

45. -45-
IoT Litigation
IoT lawsuits are “on the rise”
Most cases are still “unresolved or have been
dismissed because courts couldn’t find injury”

46. -46-
Cahen v. Toyota Motor Corp.
 In Cahen v. Toyota Motor Corp., 3:15-cv-01104 (N.D.
Cal. March 10, 2015), Plaintiffs alleged auto
manufacturers equipped their vehicles with computer
technology that is vulnerable to hacking
 Hackers can communicate remotely with the
computers controlling vehicle functions, resulting in a
complete loss of driver control over steering,
accelerating and braking
 Plaintiffs alleged manufacturers were aware of
security vulnerabilities, but represented the products
as safe

47. -47-
IoT Lawsuits – Auto (continued)
 Defendants argued “that plaintiffs do not allege any
hacking incidents that have taken place outside of
controlled settings, and that the entire threat rests on
the speculative premise that a sophisticated third
party cybercriminal may one day successfully hack
one of plaintiffs’ vehicles.”
 The court agreed, citing potential risk of future
hacking was not an injury in fact. Plaintiffs have
appealed the dismissal to the Ninth Circuit.

48. -48-
Flynn vs. FCA
 Chrysler Group. In Flynn v. FCA US LLC., 3:15-cv-855
 (S.D. Ill. Aug. 4, 2015):
 Plaintiffs alleged security flaw in “infotainment” centers manufactured
by Harman International Industries for certain Chrysler vehicles.
 Plaintiffs alleged infotainment system “exceedingly hackable,” permits
hackers to “remotely take control” of steering, acceleration and
braking, and lacks the ability quickly and effectively for software
security flaws to be “patched.”
 Court held plaintiffs had standing to sue for damages for diminished
value of car because “the ongoing vulnerabilities have reduced the
market value of their vehicles.”
 2015 article in Wired drew attention to vulnerability on sales price.

49. -49-
Home Security Devices
 Baker v. ADT Corp., No. 2:15-cv-02038 (C.D. Ill. Nov. 9,
2014). Plaintiff filed class action alleging ADT’s
wireless security and monitoring equipment could be
remotely turned on or off using technology readily
available to the public.
 Plaintiff alleged his system was hacked at least twice
by an unauthorized third party, which “caused the
system to be falsely triggered, which in turn caused
ADT to contact Plaintiff and have the police called to
Plaintiff’s home.”

50. -50-
Medical Devices
 Ross v. St. Jude Medical Inc., No. 2:16-cv-06465 (C.D.
Cal. Aug. 26, 2016):
 Plaintiff challenges a variety of St. Jude Medical’s
implants — including pacemakers, defibrillators and
heart resynchronizers — that use
radiofrequency wireless technology.
 Plaintiff claims that the devices are exposed to
potential attacks in which hackers could disable the
device or drain its battery.

51. -51-
Medical Devices (continued)
 The technology allows the implanted devices to be
monitored remotely. The plaintiff alleged that the
company owed the patients a “duty of care to ensure
that the devices safeguarded against potential
hacking...”
 “It is foreseeable that if defendants did not take
reasonable security measures, the devices could be
accessed, viewed or controlled by unauthorized
persons.”
 Plaintiff voluntarily dismissed the case, without
prejudice, in December 2016.

52. -52-
Risk Reduction Strategies

53. -53-
Culture of Security
Senior Management
Employee Training

54. -54-
Contracts and Internal Policies
 Contractual protections between manufacturers and
software developers to properly balance and shift the
potential third-party liability exposures
 Disclaimers of liability by consumers?
 Privacy Policies and Just in Time Privacy Notices
 Incident Response Plans

55. -55-
Prior to Development
What type of development is taking place?
 Hiring a contractor to develop
 Being hired as a contractor to develop
 Jointly developing
Confidentiality is not the same as ownership
 Development brings risk that is not addressed in
NDAs
 Ownership and assignments need to be
particularly spelled out, along with risk

56. -56-
Development Considerations
Data Privacy
 Privacy by Design
 Data "ownership"
 Data use
 Who has the data privacy obligations?
 Collectors
 Processors

57. -57-
Development Legal Risks
Product Liability
 Product Failure
 Software Developer
 Sensor Manufacturer
 Manufacturer
 Retailer
 Consumer
 Data Security
 Breach
 Data Integrity

58. -58-
Document Lifecycle of an IoT
Development
 NDA
 LOI/MOU – only if serves a business purpose
 Usually nonbinding
 Development Agreement – who is hiring who?
 Contributions
 Ownership
 Clearance
 Delivery obligations – fees, timelines, expenses, specs
 Liability
 Support/maintenance – only maybe
 End result is usually a working prototype

59. -59-
Document Lifecycle of an IoT
Development (cont'd)
 Commercialization Agreement
 Production/distribution
 Marketing/sales
 Hosting
 Data collection/use/ownership
 Support/maintenance
 End Users
 Terms and conditions
 End user license agreements
 Privacy policies

60. -60-
Development Considerations
Ownership and Clearance
 Open Source/Third Party Code
 Risk of Infringement
In-Market Complexities
 Ongoing Support
 Ongoing Maintenance
 Subsequent Owners

61. -61-
Laws and Standards Bodies
Laws and regulations
Standards organizations
Industry groups

62. -62-
Data Retention
Carefully
consider data
retention needs
and retention
practices

63. -63-
Security Protections
Warnings
Notices of security
patches and updates
Strict password
requirements
Disclaim liability for
user negligence

64. -64-
Lifecycle
Limited access to devices
Monitor products through lifecycle and apply
patches

65. -65-
Technical Protections
Kill switch in connected devices

66. Questions?
Linda Emery Heather Buchta
414-277-3038 602-229-5228
linda.emery@quarles.com heather.buchta@quarles.com
© 2018 Quarles& Brady LLP - This document provides information of a general nature. None of the
information contained herein is intended as legal advice or opinion relative to specific matters, facts,
situations or issues. Additional facts and information or future developments may affect the subjects
addressed in this document. You should consult with a lawyer about your particular circumstances
before acting on any of this information because it may not be applicable to you or your situation.