The Future Is Here: The Internet Of Things And The Law

By Kelly A. Williams

The Internet of Things or "IoT." What is it? Simply put, it is the ability of everyday objects to connect to the internet and send and receive data. These objects are all around us. It is any washing machine that can be serviced over the internet. It is a thermostat that can be controlled by an "app" on your phone. It is security cameras installed at your home and feeds viewed from your devices.The IoT is here and growing quickly. According to a 2015 Federal Trade Commission Staff Report, 25 billion devices will be connected to the internet by 2020. The IoT has and will continue to have varied and far reaching implications for the law.

Businesses are expected to be the top adopters of IoT solutions because they will use the IoT to decrease costs, increase productivity and to expand products and/or services. Nearly every industry is likely to benefit from the IoT, including manufacturing, transportation, defense, agriculture, infrastructure, retail, logistics, banks, oil, gas and mining, insurance, utilities, hospitality, healthcare, commercial and residential construction and food services.1

The Good - The Internet Can Improve Lives

The IoT has the potential to provide invaluable services. For instance, medical devices connected to the internet can provide information to physicians that can save lives. Other objects are less critical but nonetheless useful. Who wouldn't enjoy the ability to check how much milk they have in the refrigerator from the office? And, who hasn't at least once wished that they could confirm that they locked all the doors after rushing out of the house? And, the comfort of seeing that your four-legged family members are doing fine at home via "nanny cam" while you are at work? Priceless. At a minimum, such possibilities are certainly enticing.

The Bad - The Internet Can Ruin Lives

The catch is that the IoT also has the potential to put us at greater risk for personal injury, loss of property and loss of privacy. Many IoT devices were designed for convenience rather than security. They often lack robust protection against intrusions. Moreover, they are not easily updated or patched to prevent them. For example, automobiles can be remotely controlled by "hackers." Televisions, security cameras and baby monitors can be used as spying devices. In August 2017, the Food and Drug Administration recalled nearly half a million pacemakers due to security flaws that could allow hackers to reprogram the devices to run the batteries down or even modify the patient's heartbeat.

Even the U.S. military is not immune from the dangers of the IoT. The Washington Post reported on January 28, 2018, that an interactive map posted on the internet shows the location of U.S. military members who are wearing Fitbit and Jawbone fitness trackers at U.S. military bases all over the world, including sensitive locations. While some information is public knowledge, such as the existence of the base itself, the tracking information reveals much more such as patterns of activity, including patrol routes, which could be used to plan and execute attacks.

The Ugly - The IOT Creates Additional Legal Risks and Insurance Coverage Issues

The IoT also presents additional legal risks to entities that rely upon connected devices. Companies may face product liability claims for bodily injury or property damage due to hacking or defects involving sensors or software. The IoT may require new language in supply chain agreements for shifting and allocating risk. Moreover, new governmental regulatory compliance requirements may arise. The IoT also exposes companies to negligence, breach of contract, breach of express and implied warranty, fraud, unjust enrichment and violation of consumer protection law claims. The IoT also creates insurance coverage issues.

Lawsuits are already being filed. The first class action suit arising from the IoT was Cahen v. Toyota Motor Corp., Civ. Action No. 4:15-cv-01104 (N.D. Cal., San Francisco Div.). There, each vehicle at issue had up to 35 separate electronic control units and a "controlled area network." Plaintiffs alleged that "vehicle functionality and safety depend[ ed] on the functions of these small computers, the most essential of which [was] how they communicate[d] with one another." Plaintiffs further asserted that a "hacker could take control of such basic functions of the vehicle as braking, steering and acceleration - and the driver of the vehicle would not be able to regain control." Plaintiffs' theories of liability included breach of warranty, breach of contract, fraud and invasion of privacy.

Importantly, plaintiffs in the Cahen suit did not allege actual hacking but merely that the vehicles were vulnerable to hacking. Consequently, defendants argued that plaintiffs lacked standing because they could not prove any "injury in fact" that was actual or imminent. Plaintiffs countered that they would not have purchased the vehicles or paid as much if they had known about the vulnerability. The court held that plaintiffs' claims were too speculative and dismissed the suit. This ruling was upheld by the Ninth Circuit on December 21, 2017.

A similar IoT-related lawsuit was prompted by an article in Wired magazine in July 2015. Wired reported that a Chrysler Jeep had been remotely hacked and critical safety systems were controlled by the hacker. The article led to a recall by Chrysler Fiat of 1.4 million vehicles and another class action suit: Flynn v. FCA US LLC, Case No. 3:15-cv-855 (S.D. Illinois). In Flynn, the problems arose from an "infotainment system" called UConnect. The recall offered software patches. According to plaintiffs, the recall was insufficient because it did not eliminate the connection of nonsecured systems to essential engine and safety controls. Plaintiffs alleged breach of warranty, fraud, negligence, unjust enrichment, and state consumer fraud and business practices violations.

In contrast to Cahen, the Flynn court did not dismiss the suit. The court held that plaintiffs had sufficiently alleged injury, and hence standing, because plaintiffs alleged ongoing vulnerabilities had reduced the market value of their vehicles. The case is still pending.

In addition to personal injury and property damage claims, the IoT creates an increased risk of security and data breaches. IoT devices can be the weak link to accessing personally identifiable information. Just ask Target. The now infamous Target breach occurred when an employee of an HVAC vendor opened an email with malware which then invaded Target and its point of sale system. It was easy for the malware to invade Target's system because the HVAC vendor had direct access to Target's computer system to monitor the performance of the HVAC system.

To date, data breach laws vary across the country, with each state having its own laws, except Alabama and South Dakota (South Dakota has legislation pending for 2018). Companies must work through a patchwork of state laws when customers across the country are affected by a breach. Moreover, companies who do business in Europe must be compliant with the European Union's General Data Protection Regulation, which governs privacy and security of personal data, by May 25, 2018. Fines for noncompliance can be steep as the fines are based upon a percentage of a company's revenue.

The IoT also raises a variety of insurance coverage issues for companies. Commercial general liability ("CGL") policies raise the issue of whether a defective product claim arising from the IoT will qualify as an "occurrence," a requirement for coverage. When a product is a component in a larger product and the larger product is damaged, a situation which may increase with the increased supply chain involving IoT products, exclusions may limit coverage. Also, an exclusion may apply to the IoT which precludes coverage for "damages arising out of the loss of, loss of use of, damage to, corruption of inability to access or inability to manipulate electronic data." Moreover, the "products-completed operations hazard" exclusion applies for liabilities arising from "work that has not yet been completed or abandoned." This begs the question of whether an IoT product is ever complete if it requires updates.

With respect to data breaches, since 2014, CGL policies exclude coverage for nonphysical loss arising from data breaches. Insurers are increasingly offering cyber insurance policy options. Older policies concerned the nature of the breach and location of data. New policies cover nearly all data breach and privacy liabilities for which the insured is legally responsible, subject to varying exclusions. However, a company should not assume that cyber policies provide adequate protection for IoT-related product liability exposure. Selecting and negotiating the right cyber insurance policy for IoT protection presents unique challenges relating to the nature of the connected object, its tangible and intangible aspects and its uses and impact. A company seeking insurance must be careful to identify gaps in existing coverage and proactively work with insurers to obtain coverage for the company's risks created by the IoT.

The IoT is having a huge impact on our lives, the way companies do business and the law. This is only going to increase over time. Understanding this and the IoT's impact on one's business or client's business is critical to effective legal representation in our ever-increasing, interconnected world.