Exploring the Unknown Liabilities of IoT
Use of IoT devices creates new risks and will require a new focus on liability.
You cannot avoid dealing with the Internet of things (IoT). As you implement IoT devices, you are entering a new world -- a world with which you have little or no experience. Will there be liabilities for IoT use? Which regulations apply and will more regulations be forthcoming? Who has jurisdiction? Is poor security of IoT devices a valid claim for liability?
This blog contains my opinions. It is not a legal argument and I am not a lawyer. I am concerned that IoT implementers are not considering the liability issues.
The three main liability areas that can arise relating to IoT are:
- IoT device malfunction and/or inaccuracy
- Cyber-attacks and the theft of personal data stored on IoT devices
- Use of the IoT devices and/or software that causes physical or financial harm
When Intelligent Devices Go Wrong
My thinking about liabilities regarding IoT devices, platforms, and services was kick-started by a recent Washington Post article about a self-driving Uber vehicle that struck and killed a pedestrian. Uber responded by immediately halting testing of its autonomous vehicles across North America.
Who is liable in this scenario? Is this a criminal or civil case? Who will be sued? Is it covered by state or federal law? Was the driverless car insured?
The Blame Game Has Begun
The Uber incident will be challenging from both sides. Another article, "Uber Autonomous SUV 'Not Necessarily' At Fault In Woman's Death," suggests that the death was the responsibility of the person who was hit by the car. This may turn out to be true, but if the deceased person's family does not agree, then there will be a court battle with all parties involved and incurring court, lawyer, investigator, and expert costs. The same situation will probably happen with early IoT problems.
What Is Product Liability?
According to FindLaw, product liability "refers to a manufacturer or seller being held liable for placing a defective product into the hands of a consumer. Responsibility for a product defect that causes injury lies with all sellers of the product who are in the distribution chain. In general terms, the law requires that a product meet the ordinary expectations of the consumer. When a product has an unexpected defect or danger, the product cannot be said to meet the ordinary expectations of the consumer."
Is the IoT Endpoint Accurate?
In my previous blog, "Is IoT Accurate?" I pointed out that IoT endpoints may not be accurate enough to make decisions using the IoT data.
"What if business decisions are made assuming their accuracy? The analytics will look good, but the raw data will be in error. I cannot confront the IoT endpoint itself, so who has the liability for errors: the endpoint manufacturer, endpoint implementer, the data analytics system, or IT staff?"If the data is not accurate, and the organization makes decisions based on that faulty data, then who is responsible? Could the faulty decision lead to financial or reputation loss? What if someone was harmed because of the faulty data?
Who Does This Impact?
The chain of distribution for a product includes:
- Product manufacturer
- Manufacturer of component parts
- Party that assembles the product
- Party that installs the product
- Wholesaler and the retail outlet that sold the product
IoT devices and the platforms supporting the IoT devices add to that list:
- Software that runs the product, whether it is provided by the manufacturer or uses third-party software
- Network that provides connections to the product
- Security implemented to protect the product and its information
- Organization that uses the IoT devices
As should be clear from this list of players, the degree of liability may be hard to assign when something goes wrong.
Can There Be Insurance?
You have insurance because you want to reduce the financial risk of future problems. You pay for the premiums but you don't want to collect on the policy. I have insurance as a consultant, homeowner, and a car owner/driver. Most insurance premiums are based on statistical analysis of past experiences. The question is, how do I insure environments where there are IoT devices with embedded software that is new to the industry? If the organization cannot buy the appropriate liability insurance, will this curtail the adoption and implementation of IoT devices?
IoT Is a Work in Progress
There is always a potential for IoT device malfunctions or for the device or network to be hacked. Use of IoT devices creates new risks and will require a new focus on liability. It appears that lawmakers and regulators will be catching up with the liabilities so that in the early days many of the judgments may come through lawsuits and be settled by the courts with costs to everyone involved.
Those organizations that choose to implement IoT devices need to thoroughly analyze the agreements they have with their suppliers of products and services to ensure that they are not the only ones liable for IoT problems. It may be that in some cases the potential agreements with suppliers are biased to the point where the organization will not buy the products or subscribe to the service.
Two articles worth reading are "Is the Internet of Things Ripe for Product Liability Law?," and "Untangling the Web of Liability in the Internet of Things."
For further reading on IoT, a few blogs that may be of interest are: