The “Internet of Things”: An Inconvenient Truth

Written by: Sam Crochet, Esq.

Technology is developing at an explosive pace, which is creating endless opportunities for improvement industry-to-industry. For years we have remotely accessed information from our smartphones, but now we are on the front wave of remotely accessing physical devices themselves. Doctors have the capability of adjusting patients’ insulin pumps without the need for an office visit. Some of us control our home security and utilities devices while on vacation. “The Internet of Things” (IoT) promises to make our lives more convenient. However, this evolution attaches tremendous risk to those within the healthcare, retail, hospitality, and manufacturing communities—which could trigger wide ranging legal implications.

Plaintiffs’ attorneys are waiting in anticipation of the converging world of products liability and data breach litigation. Last summer, St. Louis-area security researchers performed a controlled simulation in which they cut off a Jeep’s breaks/transmission while its driver drove on a major highway. Backlash from the experiment forced Chrysler to recall 1.4 million automobiles to address the “vulnerabilities” at issue. For reasons like this, plaintiff’s attorneys are asking courts to impose a pre-sale duty to warn of the risk of IoT “breaches.” Along these same lines, given the pace at which IoT technology is evolving, the likelihood of a breach can change on a daily basis. For example, at the time of purchase, a car could be virtually “hack proof.” However, within weeks, hackers could discover vulnerabilities. Of course, plaintiffs’ attorneys are lobbying for a post-sale duty to warn as well, which would force manufacturers to direct substantial resources to the real-time monitoring of these “cyber-weaknesses” and the complex legal obligations that ensue—such as the duty to notify individual customers and to follow the different legal requirements of their respective states.

Industries such as healthcare, retail, and hospitality will face increased risk from the IoT evolution as well, including, but not limited to, (1) securing data related to the use of IoT devices and (2) avoiding “ransomware” attacks that are known to lock up networks and render IoT devices useless—resulting in a complete loss of productivity until the ransom is paid. Consider the ramifications of a hacker who blocks the network of an Atlanta-area physician that routinely uses a smartphone to adjust the settings of a patient’s pacemaker in Los Angeles. The provider will have little choice but to pay the hacker the ransom so it can recapture the network and ensure the safety of the patient. Such examples are endless. The “ransomware” approach has already grabbed headlines across the healthcare industry and data privacy world as hospitals have “paid up” in order to recapture medical record databases and operating systems.

Given the direction of these issues, manufacturers, healthcare providers, and members of the retail and hospitality community have an enormous interest in complying with current cyber-laws and to be proactive in creating a risk management program to limit future cyber-liability and harm to reputations. Our cyber-security/data privacy attorneys routinely walk clients through the web of compliance and protection risks associated with these issues. We provide proactive strategies to reduce the chances of a security breach and also remedies to reduce loss-exposure should products, data, or devices be compromised.