Internet of Things Liability

The security flaws of IoT and its ability to perform certain tasks open the door to any associated liability. The three main areas of concern are device malfunction, attacks, and data theft. These issues can result in a wide variety of damages.

Device Malfunction

IoT introduces a deeper level of automation which can have control over critical systems, and systems impacting life and property. When these systems fail or malfunction, they can cause substantial damage; for example, if an IoT furnace control system experiences a glitch, it may fail in an unoccupied home and cause frozen pipes and water damage. This forces organizations to create measures against it.

This smart thermostat allows attackers to gain remote access, and breach the rest of the network.

Cyber Attacks

IoT devices expose an entire network and anything directly impacted to the risk of attacks. Though those connections deliver powerful integration and productivity, they also create the perfect opportunity for mayhem like a hacked stove or fire safety sprinkler system. The best measures against this address the most vulnerable points, and provide custom protections such as monitoring and access privileges.

Some of the most effective measures against attacks prove simple −

• Built-in Security − Individuals and organizations should seek hardened devices, meaning those with security integrated in the hardware and firmware.
• Encryption − This must be implemented by the manufacturer and through user systems.
• Risk Analysis − Organizations and individuals must analyze possible threats in designing their systems or choosing them.
• Authorization − Devices, whenever possible, must be subject to privilege policies and access methods.

Bitdefender BOX secures all connected devices in the home.

Data Theft

Data, IoT’s strength and weakness, proves irresistible to many. These individuals have a number of reasons for their interest − the value of personal data to marketing/advertising, identity theft, framing individuals for crimes, stalking, and a bizarre sense of satisfaction. Measures used to fight attacks are also effective in managing this threat.

The three main liability areas that can arise relating to IoT are:

• IoT device malfunction, failure, and/or inaccuracy
• Cyber-attacks and the theft of personal and/or corporate data stored on the device
• Use of IoT devices and/or software that cause physical or financial harm such as botnets

When Intelligent Devices go wrong

As an example of a liability is covered in the article in the Washington Post “Self-driving Uber vehicle strikes and kills pedestrian” stimulated my thinking about liabilities with IoT devices, platforms, and services. The article stated “Uber abruptly halted testing of its autonomous vehicles across North America on Monday, after a 49-year old woman was struck and killed by one of its cars while crossing a Tempe, Ariz. street Sunday night.” Who is liable? Is this a criminal or civil case? Is it covered by state or federal law? Was the driverless car insured?

The Blame Game has begun

It will be difficult for those blaming the driverless car and those who want to exonerate it. The Wired article “Uber Autonomous SUV ‘Not Necessarily’ At Fault In Woman’s Death”

suggests that the death was the responsibility of the person who was hit by the car. This may turn out to be true. But there will be cases where the injured pedestrian was not a fault. What then?

What is Product Liability?

There is a definition of product liability posted by FindLaw: “Product liability refers to a manufacturer or seller being held liable for placing a defective product into the hands of the consumer. Responsibility for a product defect that causes injury lies with all sellers of the product who are in the distribution chain. In general terms, the law requires that a product meet the ordinary expectations of the consumer. When a product has an unexpected defect or damage, the product cannot be said to meet the ordinary expectations of the consumer”

Is the IoT Endpoint Accurate?

IoT endpoints may not be accurate enough to make decisions using the IoT data. What if business decisions are made assuming their accuracy? The analytics will look good, but the raw data can be in error or devices can be hacked. I cannot confront the IoT endpoint itself, so who has the liability for errors: the endpoint manufacturer, endpoint implementer, the data analytics system, consultants, MSP, or the internal IT staff?

If the data is not accurate, and the organization makes decisions on faulty data, then who is responsible? Could the faulty decision lead to financial or reputation loss? What if someone was harmed because of the faulty data?

Who Does this Impact?

The chain of distribution for a product covers many organizations not just the entity that owns or rents the IoT devices including:

• Product manufacturer
• Manufacturer of component parts
• The product assembly party
• Product installer
• The wholesaler and the retail outlet that sold the product

IoT devices and the platforms supporting the IoT devices add elements that can change the product which include:

• The software that runs the product, whether it is provided by the manufacturer or uses third-party software
• Networks that provide connections to the product
• Its information security and access
• The organization that employs the IoT devices

The degree of liability may be hard to assign, so everyone may be sued and the courts will work out the degrees of liability.

IoT Liabilities issues are a Work in Progress

Those organizations that choose to implement IoT devices need to thoroughly analyze the agreements they have with their suppliers of products and services to ensure that they are not the only ones liable for IoT problems. It may be that in some cases the potential agreements with suppliers are biased to the point where the organization should not buy the products or subscribe to the service.