IoT and Liability

Following on from previous articles concerning the internet of things (IoT), in this article we consider liability issues associated with the increased prevalence of web connected devices.

What Liability?

The increased prevalence of IoT devices raises a litany of intriguing questions.  For example, if a defective security feature in a home heating system designed to allow a home owner to remotely switch on their heating using a smart phone, allows a thief access to an interconnected home security system so they can disable the security and access the home, who bears the liability?  Is it the manufacturer of the heating system or the security system? Is it the IoT hardware or software provider for not incorporating adequate security features? Is it the home owner’s fault for not installing the latest security patch on their system or for not using the right settings on their system, leaving them vulnerable to attack?

The interaction between each of these parties must be clearly identified, to determine where in the chain responsibility for any loss arising will lie.

Whose Liability?

The introduction of IoT devices into a variety of products is likely to alter allocations of liability across different parties.  While fundamentally, liability will still be attributed to the party responsible for the failure or event, the likely causes of that liability have changed. Consequently, the following questions should be considered by each party connected to the IoT device:

  • Product Manufacturers – Despite the involvement of many subsequent parties, product manufacturers should not discount their potential liability. If a product is defective, or if it malfunctions, then liability may rest with the manufacturer, regardless of the integration of software. For example, if the sensors in a pace maker are defective, which means that the embedded software fails to send the required pulses to the heart, the manufacturer of the sensors may ultimately bear the responsibility and will need to take this into account in their supply arrangements.
  • Hardware Providers – Hardware providers should be wary of liability arising from defective IoT equipment, or a failure to properly install hardware, and if appropriate may seek to limit their liability. This is particularly relevant as hardware devices which are so cheap they are effectively disposable become commonplace, as it naturally leads to a compromise between small, low cost hardware and the capacity to incorporate an ideal (or even basic) amount of security features. However, should a provider of low cost hardware be able to limit its liability even if the hardware is so embedded in the IoT landscape that any defect causes significant flow on harm? Similarly, what if customers or third party providers are responsible for the installation, maintenance and configuration of the hardware?
  • Network Providers – Fitness trackers, smart refrigerators and autonomous cars are simply isolated pockets of technology until they are connected to the internet through a network provider. However, as the demands placed on network providers increase exponentially with the IoT, so does the parallel risk if a network fails or experiences an unplanned downtime. Should the network provider be able to contract out of liability, when devices such as autonomous cars and security systems are contingent on the connection it provides?
  • Software Providers – The majority of IoT devices will rely on software to achieve their purpose, which naturally places the software provider at risk of liability in the event of a defect or failure. Consider however, whether there should be a difference in liability between software that has been purpose built and configured for a specific function and commercial off the shelf software that was purchased by a cost conscious party? Should software providers have a duty to inform and educate all users, and be liable for a failure to adequately do so? Does this duty extend to updates indefinitely?
  • Hackers – If an IoT device is hijacked through a vulnerability, or software deficiency in the device, to what extent should the hacker be liable for any harm caused? There is no dispute that individuals who use IoT devices to cause damage, steal or invade people’s privacy should be held accountable but the reality is that it may be very difficult to actually prosecute the behaviour, and in many instances another party may have contributed to the harm, for example, by failing to install a security update.
  • Users – The failure by users to install software updates, to create secure passwords, or to ensure they know how to use the device as intended, significantly heightens the risk arising from IoT devices. Many IoT devices are highly accessible to individual users, who may not be aware of how to protect themselves from loss, or how to mitigate a situation once loss has occurred. Where should liability fall when a user has intentionally clicked ‘not now’ on multiple software updates, which led to a data breach?

Conclusion

The number of participants in the typical supply chain and manufacturing process has increased, necessitating a change in the mindset of each party, as IT companies now need to think like product manufacturers, and product manufacturers need to think like IT companies.

This means a re-evaluation of what risks an organisation may need to consider and mitigate through practical measures including design, manufacturing and maintenance processes, and also through their contractual mechanisms with the other participants in the supply chain.

If you have any queries or would like further information regarding this article, please contact:

Simon McDonald
Partner
M: 0402 843 198
E: smcdonald@pageseager.com.au

Rhiannon Fletcher
Lawyer
M: 0418 966 390
E: rfletcher@pageseager.com.au

Copyright © 2016 Page Seager. Privacy Statement Privacy Policy