Program Overview:
What Your Company Needs to Understand to Stay Ahead of
the Competition
Companies are exponentially expanding their use and production of connected products and technologies. It is estimated that in 2021, 22.5 billion IoT devices will be shipped globally. With that growth comes a litany of legal challenges. We will discuss the scope of the IoT landscape and address some of the critical legal areas for companies using or selling IoT products, including:
Data privacy and security risks associated with use of IoT devices, The tension between engineering and marketing departments' desire to retain and mine IoT data and the legal risks of accessing, aggregating, and storing the data, Product liability and other legal issues arising from IoT devices on product liability claims, and the ever changing landscape of industry specific regulatory requirements.
Test Identification Parade & Dying Declaration.pptx
Legal Risks of Operating in the World of Connected Technologies (Internet of Things)
1. Legal Risks of Operating in
the World of Connected
Technologies (IoT)
Business Law Training
April 12, 2018
Linda Emery Heather Buchta
2. -2-
What is the Internet of Things?
It's not new – term was first used in the late 90's
"ubiquitous ecosystem of sensors and connected
devices"
"cyber physical systems"
"system of systems"
"smart systems that include co-engineered
interacting networks of physical and computational
components"
"internet-enabled appliances to an existing
infrastructure of computers and mobile devices"
3. -3-
What is it really?
"interconnection of computing devices embedded in
everyday objects via the Internet to send and receive
data"
"sprawling set of technologies and use cases that has
no clear, single definition"
Device + software + connectivity + big data = IoT
4. -4-
What is the Internet of Things?
Over 26 Billion
by 2020
Smart Home
Connected
Health
Connected
Cars
Connected
Industrial
5. -5-
Five Largest Categories
Connected Vehicles
Connected Health Care Devices
Connected Homes
Industrial internet (transportation, oil & gas, and
healthcare)
Vehicles
8. -8-
Why is it different?
Functionality
It's "smart"
Functions/processes without being told
Communications capability
Creates risk and security vulnerabilities
Intellectual property
Embedded software – copyrights and patents
Laws favor the author/inventor/developer
Who owns data??
Result is complexities in implementation and
development
10. -10-
What's at Risk
Damage to Reputation & Loss of Goodwill
Investigations and Incident Response
Legal Fees, Notification Costs, Call Centers
Loss of Competitive Advantage
Lost Sales, Revenues & Profits
Lawsuits/Class Actions
Regulatory Fines
12. -12-
FTC Recommendations
FTC Recommendations for Data Security and Privacy
Practices When Selling Connected Products
https://www.ftc.gov/system/files/documents/reports
/federal-trade-commission-staff-report-november-
2013-workshop-entitled-internet-things-
privacy/150127iotrpt.pdf
13. -13-
IoT is a Team Sport
Multidisciplinary Team. The FTC recommends the
company’s
Hardware designers and engineers
Software and app developers
IT security personnel
Legal and compliance
HR
Marketing
14. -14-
Security By Design
Security By Design. Companies need to include
security by design, not as an after thought
Don’t Assume Safety: Product design should not assume
safety of a customer’s home network
Testing: Test the security of devices before launching a
product
15. -15-
Risks During Product Testing
Third Party Products. Check for vulnerabilities in
third-party components integrated into your
products.
Relock Doors. Verify that if you turn off security
measures during testing, you switch them back on
before going live.
Back Doors. Check whether you have closed back
doors through which hackers could access
information or gain control of the device.
16. -16-
Multiple Levels of Security
Multiple Levels of Security. Companies should
identify significant risks within their systems at
every level
Implementing security measures at several
levels
Identify security soft spots
17. -17-
Data Mapping and Collection
What Data is Collected: Inventory of Information. If a
device collects and transmits data, have an up-to-
date inventory of the kinds of information in your
possession.
Why are you Collecting It?
Where are you storing it?
How are you storing it? – Combinations of PII and
Connected Data?
How long are you storing it?
18. -18-
Best Practices
An understanding of where your data is held
Clear privacy policy which you follow
Strong IT and product security practices
A data breach plan and team
High engagement by the Company on privacy issues
on an enterprise-wide basis
19. -19-
Consumer Product Safety Commission
(CPSC)
CPSC “impute[s] to the subject firm knowledge of
product safety related information received by an
official or employee of a subject firm capable of
appreciating the significance of the information.”
Does the data collected by connected devices
constitute “knowledge of product safety related
information?”
If a manufacturer chooses not to analyze information
available to it, can it then claim it was not “capable of
appreciating the significance” of isolated reports?
21. -21-
DHS Report
Manufacturers should design with worst-case
scenarios in mind. “Developers should build IoT
devices to fail safely and securely, so that the failure
does not lead to greater systemic disruption.”
IoT devices should be designed so they can be
updated if security flaws are found. “In the absence
of the ability to deploy security updates,
manufacturers may be faced with the decision
between costly recalls and leaving devices with
known vulnerabilities in circulation.”
22. -22-
Medical Devices
By 2020, 40% of IoT-related technology will be health
related – more than any other category
Expect uptick in medical device litigation
“Where manufacturers, healthcare providers and
consumers see innovation, functionality, integration
and an all-around more capable product, plaintiffs’
firms see potential failure on a mass basis and dollar
signs.” MEDICAL DEVICE LITIGATION The “Internet of
Things” Is Coming: 11 No. 3 In-House Def. Q. 26
23. -23-
Food & Drug Administration
Food and Drug Administration issued final guidance
regarding the need for post-market management of
cybersecurity in medical devices
https://www.fda.gov/downloads/MedicalDevices/Dev
iceRegulationandGuidance/GuidanceDocuments/UC
M482022.pdf
24. -24-
Food & Drug Administration
January 2016, the FDA released draft guidance for
post-market management of cybersecurity in medical
devices.
Developer to address cybersecurity throughout the
product life cycle, including the design, development,
production, distribution, deployment, and
maintenance.
Cybersecurity risks to medical devices are evolving
and therefore it is not possible to completely mitigate
risks through premarket controls alone.
25. -25-
National Highway Traffic Safety
Administration
Federal Automated Vehicles Policy
https://www.nhtsa.gov/sites/nhtsa.dot.gov/files/federal_automated_vehicles_policy.pdf
Federal Motor Vehicle Safety Standards for
Automated Vehicles
26. -26-
Autonomous Vehicle Laws
Some states have
specific laws covering
autonomous vehicles:
District of Columbia,
California, Florida,
Michigan, Nevada,
North Dakota and
Tennessee.
27. -27-
NIST Guidelines
Require compliance with NIST Guidelines
https://www.nist.gov/cyberframework
Framework for Improving Critical Infrastructure
Cybersecurity, National Institute of Standards and
Technology, February 12, 2014 (Version 1.0)
Currently on draft version 2 of Version 1.1
28. -28-
Underwriters Laboratory
UL 2900 - Cybersecurity Assurance Program (CAP) UL
2900 is not a standard. It is an outline for the
eventual development of a standard.
Requirements regarding the vendor’s risk
management process for its product.
Designed to help vendors minimize cybersecurity
risks by assessing software vulnerabilities, minimize
exploitation, address known malware, review security
controls, and increase security awareness.
30. -30-
Software and Sensors
Software and sensors are critical component
parts suppliers in IoT
They are both “component parts suppliers”
Significant product liability exposure
31. -31-
IoT Product Claims
Was the misuse,
modification or
manipulation foreseeable?
Who is at fault?: The hacker,
the manufacturer, the
software provider, the
sensor manufacturer or the
owner who failed to
properly secure the
product?
32. -32-
3 Product Liability Issues With IoT
Product failure
Security breach
Data destruction, manipulation, or alteration
33. -33-
Risk 1: Product Failure
Product malfunction which causes personal injury or
property damage
Nest: Nest thermostat suffered a software
malfunction, drained the battery and shut down the
Nest device
Harm: Cold homes, water pipe damage, and concerns
about infants exposed to cold temperatures
Lawsuit: Although Nest fixed the problem, a law firm is
looking for plaintiffs for personal injury or property
damage lawsuits
34. -34-
Risk 2: Security Breach
Claims of physical injury caused by a hack or other
security breach
Jeep: White Hat Hackers remotely accessed a Jeep’s
controls through the vehicle’s communications
system
Result: Chrysler recalled 1.4 million vehicles in 2015
Legal: Subject of a government investigation
35. -35-
Risk 3: Data Alteration
An IoT product/server is hacked and personal data
downloaded and used by hacker
California Hospital: suffered a Denial of Service Attack in
2016. Hackers held the hospital’s IT system hostage for
10 days
Result: Hospital paid hackers 17,000 bitcoin for
encryption key
Legal Risk: Critical patient care services would be
compromised. Medical records could have been altered
and devices, such as infusion pumps for chemotherapy,
would become vulnerable to dosage manipulations.
36. -36-
Who is Liable for IoT Losses?
Software developer
Sensor manufacturer
Manufacturer
Retailer
Consumer
37. -37-
Who Is At Fault?
Artificial Intelligence: Computer algorithms decide
vehicle actions
Auto-crash cases: Move from human negligence to
product-liability claims
When manufacturers’ algorithms – created months
and years in advance – can make driving decisions
that may have life and death implications.
38. -38-
Open Issues
Harder to investigate
More difficult to prove liability
New types of experts to investigate?
Products themselves will give much more information
40. -40-
Software Developers
Software developer for an IoT product is likely
vulnerable to claims
Developers are used to speed to market as the
benchmark
Solution: Privacy (and safety) by design
41. -41-
Software Vendors
Software licensors will not be protected against third-
party injury claims
Many software vendors:
don’t understand their product liability exposure to claims
for bodily injury and property damage caused by third
parties; or
have failed to provide for such exposures in their
agreements
Software vendors won’t be protected merely by
contracts with the manufacturers of the end products
43. -43-
Failure to Warn
Liability may exist if a manufacturer of a
product knew or should have known of a
potential danger and failed to give adequate
directions or warnings of a potential danger
Connected devices may provide manufacturers
more metrics and information about their
connected devices and the manner in which
they are being used
44. -44-
Big Data Risk
We are retaining massive volumes of data
Retained information may impact the
manufacturer’s duty to warn
When manufacturing and marketing new
products, companies need to determine what
information is important to retain
45. -45-
IoT Litigation
IoT lawsuits are “on the rise”
Most cases are still “unresolved or have been
dismissed because courts couldn’t find injury”
46. -46-
Cahen v. Toyota Motor Corp.
In Cahen v. Toyota Motor Corp., 3:15-cv-01104 (N.D.
Cal. March 10, 2015), Plaintiffs alleged auto
manufacturers equipped their vehicles with computer
technology that is vulnerable to hacking
Hackers can communicate remotely with the
computers controlling vehicle functions, resulting in a
complete loss of driver control over steering,
accelerating and braking
Plaintiffs alleged manufacturers were aware of
security vulnerabilities, but represented the products
as safe
47. -47-
IoT Lawsuits – Auto (continued)
Defendants argued “that plaintiffs do not allege any
hacking incidents that have taken place outside of
controlled settings, and that the entire threat rests on
the speculative premise that a sophisticated third
party cybercriminal may one day successfully hack
one of plaintiffs’ vehicles.”
The court agreed, citing potential risk of future
hacking was not an injury in fact. Plaintiffs have
appealed the dismissal to the Ninth Circuit.
48. -48-
Flynn vs. FCA
Chrysler Group. In Flynn v. FCA US LLC., 3:15-cv-855
(S.D. Ill. Aug. 4, 2015):
Plaintiffs alleged security flaw in “infotainment” centers manufactured
by Harman International Industries for certain Chrysler vehicles.
Plaintiffs alleged infotainment system “exceedingly hackable,” permits
hackers to “remotely take control” of steering, acceleration and
braking, and lacks the ability quickly and effectively for software
security flaws to be “patched.”
Court held plaintiffs had standing to sue for damages for diminished
value of car because “the ongoing vulnerabilities have reduced the
market value of their vehicles.”
2015 article in Wired drew attention to vulnerability on sales price.
49. -49-
Home Security Devices
Baker v. ADT Corp., No. 2:15-cv-02038 (C.D. Ill. Nov. 9,
2014). Plaintiff filed class action alleging ADT’s
wireless security and monitoring equipment could be
remotely turned on or off using technology readily
available to the public.
Plaintiff alleged his system was hacked at least twice
by an unauthorized third party, which “caused the
system to be falsely triggered, which in turn caused
ADT to contact Plaintiff and have the police called to
Plaintiff’s home.”
50. -50-
Medical Devices
Ross v. St. Jude Medical Inc., No. 2:16-cv-06465 (C.D.
Cal. Aug. 26, 2016):
Plaintiff challenges a variety of St. Jude Medical’s
implants — including pacemakers, defibrillators and
heart resynchronizers — that use
radiofrequency wireless technology.
Plaintiff claims that the devices are exposed to
potential attacks in which hackers could disable the
device or drain its battery.
51. -51-
Medical Devices (continued)
The technology allows the implanted devices to be
monitored remotely. The plaintiff alleged that the
company owed the patients a “duty of care to ensure
that the devices safeguarded against potential
hacking...”
“It is foreseeable that if defendants did not take
reasonable security measures, the devices could be
accessed, viewed or controlled by unauthorized
persons.”
Plaintiff voluntarily dismissed the case, without
prejudice, in December 2016.
54. -54-
Contracts and Internal Policies
Contractual protections between manufacturers and
software developers to properly balance and shift the
potential third-party liability exposures
Disclaimers of liability by consumers?
Privacy Policies and Just in Time Privacy Notices
Incident Response Plans
55. -55-
Prior to Development
What type of development is taking place?
Hiring a contractor to develop
Being hired as a contractor to develop
Jointly developing
Confidentiality is not the same as ownership
Development brings risk that is not addressed in
NDAs
Ownership and assignments need to be
particularly spelled out, along with risk
57. -57-
Development Legal Risks
Product Liability
Product Failure
Software Developer
Sensor Manufacturer
Manufacturer
Retailer
Consumer
Data Security
Breach
Data Integrity
58. -58-
Document Lifecycle of an IoT
Development
NDA
LOI/MOU – only if serves a business purpose
Usually nonbinding
Development Agreement – who is hiring who?
Contributions
Ownership
Clearance
Delivery obligations – fees, timelines, expenses, specs
Liability
Support/maintenance – only maybe
End result is usually a working prototype
59. -59-
Document Lifecycle of an IoT
Development (cont'd)
Commercialization Agreement
Production/distribution
Marketing/sales
Hosting
Data collection/use/ownership
Support/maintenance
End Users
Terms and conditions
End user license agreements
Privacy policies
60. -60-
Development Considerations
Ownership and Clearance
Open Source/Third Party Code
Risk of Infringement
In-Market Complexities
Ongoing Support
Ongoing Maintenance
Subsequent Owners
61. -61-
Laws and Standards Bodies
Laws and regulations
Standards organizations
Industry groups