Product Liability in IoT: Who Is Responsible for Vulnerabilities?

The proliferation of the internet of things (IoT) means that “smart” devices can now be found in homes, factories, and offices worldwide. The explosive rise of IoT technology means IoT law is only beginning to develop, and fundamental questions about product liability remain murky.

For example, how do courts determine who is responsible if hackers access and damage a smart factory machine, resulting in thousands of dollars lost — the owners of the IoT devices or the developers?

Case studies, early litigation, and legal analysis give us a sense of how courts will probably decide these questions in the future — and help manufacturers and end-users know what responsibilities they have regarding device security.

How Product Liability May Apply to IoT

Product liability law, in general, can be complex, even without considering factors specific to IoT technology.

There are no federal product liability laws, meaning damages will be determined using liability laws that exist at the state level. These laws are typically built on the legal theories of negligence, strict liability, or breach of warranty. They may help us to determine who, if anyone, could be held liable for damages caused by IoT device vulnerabilities.

As a result, rulings could also vary significantly from state to state, and a decision in one state may not predict how a case in another state may be settled.

The tangled web of IoT product support could also create issues. In addition to end-users and manufacturers, plaintiffs may also name other possible liable parties as defendants in a liability suit, including distributors, retailers, suppliers, quality-control engineers, consultants, and contractors.

Liability tends to rest with the product manufacturer or retailer. A retailer who stores a product improperly, for example, could be held liable if that storage practice results in demonstrable damage to the end-user.

However, the more complex the product, the more complex litigation can be — and IoT devices can be extremely complicated. This is especially true of smart technology that controls industrial machines or systems.

For example, improper configuration of an IoT device by a contractor or IT service provider could also lead to that contractor being held liable. If the end-user could prove that the configuration of the device resulted in damage or made the device more vulnerable to attack, a court could find the contractor liable for damages.

What Legal Experts Have to Say About IoT Product Liability

In an article for TechRepublic, information and cybersecurity writer Michael Kassner summarized some of the current legal analyses on IoT product liability.

Some experts believe that the nature of digital damages can also make product liability cases less predictable.

Physical damages can be quantified, making it easier to determine monetary damages. In the case of a hack, however, companies may find it more difficult to demonstrate real dollar counts for damage that is often intangible — in the form of lost files, downtime, and reduced client trust.

A blog post from Mason, Hayes, and Curran, cited in the piece, argues that businesses should expect a great deal of uncertainty.

Courts may require that “aggrieved IoT users” prove damages were caused as a result of an IoT maker’s actions. They may also adopt a “strict liability” approach, where developers could be held responsible for damages even without that kind of proof.

Liability could also be apportioned among all concerned parties, divvying up responsibility between stakeholders like the IoT user, the developer, distributors, and even the hackers who attacked the IoT device.

Depending on the nature of the damages, IoT liability cases may involve both civil and criminal liability. For example, if an automated car crashes into an oncoming vehicle due to incompatibility with a smart city traffic light, criminal liability could become a possibility.

IoT Product Liability Could Create Challenges for End-Users and Developers

As the market for internet of things devices grows, IoT liability is likely to become a critical issue for both end-users and developers. This could be especially true for end-users of industrial IoT products, who may face the potential for significant damages if an IoT device is compromised by hackers.

Experts expect significant uncertainty in the near future. Courts and lawmakers may adopt a range of positions on IoT liability. Developers could be held liable for damages often, or only in cases where end-users can prove that actions on the developer’s part led to the damages.

Disclaimer: Being a follower of ‘The IoT Magazine’ offers lots of perks :) A consultation session with experts from across the industries is a major one. Submit your query here and we will connect you with the right IoT experts. He might be sitting next door, you never know.