Products Liability and the Evolving Internet of Things
The Internet of Things (IoT) is a rapidly evolving way of thinking about the internet and how the devices we use every day interact. IoT describes the developing system in which “smart” devices interact with each other through the internet to gather and exchange data to provide additional functions, security and ease-of-use for human users.
March 18, 2019 at 09:59 AM
9 minute read
The Internet of Things (IoT) is a rapidly evolving way of thinking about the internet and how the devices we use every day interact. IoT describes the developing system in which “smart” devices interact with each other through the internet to gather and exchange data to provide additional functions, security and ease-of-use for human users. While it provides significant promise as a means of creating value and convenience for consumers, it also raises thorny legal issues. This article will address issues relating to liability for damages arising out of device or system malfunctions or outside malfeasance. In a future installment, we will address contractual and other measures to manage and apportion risks and liabilities.
The internet and the devices we use to access it have evolved dramatically. Early websites operated much like brochures, providing basic information about the site owner and its products or services. Since the advent of smartphones and tablets (Apple introduced the first iPhone in 2007), the internet has evolved into a more interactive realm, allowing website owners and consumers to engage and share information. IoT is taking connectivity to a higher and even more interactive level. Some consultants define IoT as the point in time when the number of internet-connected devices exceeded the number of people. This first occurred in 2010, when the number of connected devices reached 12.5 billion as compared to the worldwide human population of 6.8 billion. CISCO recently projected that the number of connected devices will exceed 50 billion by 2020.
Although the space is quickly evolving, current products, applications and services that rely on IoT connectivity include:
- Smart appliances, systems and applications, like ADT, Vivint and Ring, link various home systems (such as thermostats, alarms, electronic doors, power and home networking) with the user's smartphone for remote monitoring and activation;
- Municipal utility systems use remote sensing devices (in the electrical grid, on natural gas meters and on water meters) to detect flow status and leaks;
- Friend-finder and family security applications, such as Life360, FindMyKids and similar apps, allow users to locate and monitor family members, including tracking teenage drivers' travel and rate of speed and alerting parents to travel interruptions suggesting a traffic accident;
- Internet-connected toys, like HelloBarbie, VTech and various learning toys, collect and store personal data and recorded messages and allow users to remotely monitor and communicate with children and even pets;
- Wearable, connected medical devices collect and monitor biometric data, vital signs and other diagnostic parameters and communicate with the user, caregivers and health care providers to assist in monitoring or diagnosing medical conditions or remind the user to take medications;
- Personal health and fitness wearable devices, like FitBit and others, collect biometric data and provide information and suggestions to the user on exercise and health.
These devices and applications offer powerful functionality and benefits to their users because of the way they retrieve data from disparate sources, process that data, and deliver it to the user in a way that creates a new type of value (like delivering a message that the power is out at your house, allowing for automatic or remote activation of HVAC systems, or notifying a caregiver than an elderly family member is not following usual activity patterns). These same innovative features also create the potential for new types of liability arising from security and privacy risks.
Products liability law evolved to assign responsibility for injuries resulting from defective products to product manufacturers (and sellers). The primary goals of products liability law are to compensate injured parties and assign responsibility to the party (the manufacturer) in the best position to ensure the safety of its products. Laws vary from state to state, but generally a product manufacturer will be “strictly liable” (without regard to fault) for personal injuries and property damage caused by a defective product. Products may be deemed defective based on: design defects (which may be determined by either a risk/benefit analysis or a consumer expectations test); manufacturing defects (does the product conform to specifications); or inadequate warnings (about foreseeable risks of a product).
Traditional products liability principles apply reasonably well to IoT devices when the device itself malfunctions. For example, liability for burst pipes due to a smart thermostat's failure to activate can be analyzed and allocated under traditional design or manufacturing defect concepts. The potential for a malfunction due to a software failure, however, adds a layer of complexity to the analysis, including determination of whether the software was defective and allocation of liability for any defect between the device manufacturer and the software supplier.
Liability is more difficult to judge in the IoT realm, where devices are increasingly integrated into networks. In the past, manufacturers have been held liable where defects in their products caused a series of failures in other, integrated products only when the manufacturer “substantially participated” in the integration of its products into the overall design of the network. This notion makes less sense for IoT devices intended to collect and communicate data to a network of other devices that have little utility apart from the integrated network.
Privacy threats and liability for security breaches fit less neatly in the traditional products liability framework, which may require an evolution of products liability law. The lack of clear, universal industry standards for IoT security makes proof of the existence of a design defect difficult.
Issues of liability allocation, product misuse and proximate cause also are more complex in the context of IoT. For example, if a manufacturer of a wearable device measuring biometric information that displays data through an app on the wearer's smartphone runs on software that is susceptible to hacking, will the manufacturer be liable for resulting harm if a hacker exploits that weakness to steal the user's personal information? Who is responsible when a hacker accesses patient data from a health monitoring device, interferes with the functioning of the device, or disables a hospital network? How will liability be allocated when a security breach is due, at least in part, to a consumer's failure to take appropriate measures to secure his/her devices and data? What if a user fails to heed warnings of vulnerabilities or follow instructions to minimize risks? The intervening criminal activity of a hacker also raises proximate cause issues that may preclude a manufacturer's liability under a traditional tort law analysis. Consistent with the risk allocation goal, however, courts may be tempted to apply concepts of economic efficiency to assign liability to IoT product manufacturers on the theory that device manufacturers and software developers are better positioned than consumers to anticipate and avoid cybersecurity risks.
The types of damages resulting from security breaches typically are not recoverable under existing products liability law. In most instances, products liability law permits recovery of damages arising from personal injury or physical damage to property but bars recovery for purely economic losses, including business disruption and other purely financial losses. Will this traditional shield from economic damages hold up when a device manufacturer's software defect allows a hacker to engage in mass financial fraud or identity theft, or creates massive business interruptions from a disabled network? Alan Butler, senior counsel for the Electronic Privacy Information Center, recently suggested in a prominent law review article that this traditional rule should not bar recovery in all circumstances, and the law may evolve to allow for recovery of catastrophic consumer and business losses.
Legislators and regulators also may get involved. Legislatures tend to be reactive, adopting new laws to address perceived wrongs when society and the marketplace experience pain. In the face of consumer reaction to catastrophic data security breaches, Congress or state legislatures may adopt data security legislation or regulations imposing liability on parties that collect, store or transmit data in the IoT realm. In November 2018, the U.S. House passed the “SMART IoT Act,” which directs the Secretary of Commerce to conduct a study and report to Congress on internet-connected devices and activities of federal agencies related to IoT devices. The bill was referred to the Senate Committee on Commerce, Science, and Transportation but not passed before the end of the 115th Congress. Likewise, California in 2018 passed the country's first cybersecurity law pertaining to IoT devices (it will take effect in early 2020, just as the state's overall new privacy law also becomes effective).
In May 2018, the U.S. Consumer Product Safety Commission (CPSC) held a public hearing to receive input “about potential safety issues and hazards associated with internet-connected consumer products” to inform its future risk management work. CPSC specifically stated, however, that it does not consider “personal data security and privacy issues that may be related to IoT devices” to be hazards that it would address.
While the emerging IoT marketplace has the potential for enormous economic value creation, it also presents the potential for significant liability. Traditional products liability law likely will evolve to address the challenge of IoT, either through judicial decisions or new legislation, and market participants should remain on guard for those changes. As the law evolves, product manufacturers, app developers and network operators also should be proactive, by planning for data security in advance, analyzing and addressing foreseeable physical and security risks during product design, developing effective consumer warnings and instructions and implementing protections in their network contracts to minimize their risk. In our next article, we will discuss contracts best practices, including contractual means to manage risks relating to products liability and information/cybersecurity matters.
Donald P. Boyle Jr., Mitzi L. Hill, LeeAnn Jones and Jonathan B. Wilson are partners in the law firm of Taylor English Duma.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View All
A Blueprint for Targeted Enhancements to Corporate Compliance Programs
7 minute read
Three Legal Technology Trends That Can Maximize Legal Team Efficiency and Productivity
Corporate Confidentiality Unlocked: Leveraging Common Interest Privilege for Effective Collaboration
11 minute readTrending Stories
- 1From ‘Deep Sadness’ to Little Concern, Gaetz’s Nomination Draws Sharp Reaction From Lawyers
- 2Legal Speak at General Counsel Conference East 2024: Julie Cantor, Associate General Counsel at Studs, Inc.
- 3Legal Speak at General Counsel Conference East 2024: Chris Correnti, President & CEO & General Counsel AGC America, Inc.
- 4‘What’s Up With Morgan & Morgan?’ Law, Advertising and a Calculated Rise
- 5Cravath Matches 'Special' and Year-End Bonuses
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250
