The Internet of Things is here. So are the liabilities that come with the deployment of IoT devices, software, and services. You are entering a new world, a world where you have little or no experience. There will be liabilities for IoT use. Who is responsible if there is an error, illness, injury, or financial loss when an IoT problem arises? Who do you sue? Are there regulations that cover the problem? Is this a civil or criminal matter? Who has jurisdiction?
Poor security of IoT devices can be a liability? This blog contains my opinions. It is not a legal argument and I am not a lawyer. Are your IoT implementers considering the liability issues?
The three main liability areas that can arise relating to IoT are:
- IoT device malfunction, failure, and/or inaccuracy
- Cyber-attacks and the theft of personal and/or corporate data stored on the device
- Use of IoT devices and/or software that cause physical or financial harm such as botnets
When Intelligent Devices go wrong
As an example of a liability is covered in the article in the Washington Post “Self-driving Uber vehicle strikes and kills pedestrian” stimulated my thinking about liabilities with IoT devices, platforms, and services. The article stated “Uber abruptly halted testing of its autonomous vehicles across North America on Monday, after a 49-year old woman was struck and killed by one of its cars while crossing a Tempe, Ariz. street Sunday night.” Who is liable? Is this a criminal or civil case? Is it covered by state or federal law? Was the driverless car insured?
The Blame Game has begun
It will be difficult for those blaming the driverless car and those who want to exonerate it. The Wired article “Uber Autonomous SUV ‘Not Necessarily’ At Fault In Woman’s Death”
suggests that the death was the responsibility of the person who was hit by the car. This may turn out to be true. But there will be cases where the injured pedestrian was not a fault. What then?
What is Product Liability?
There is a definition of product liability posted by FindLaw: “Product liability refers to a manufacturer or seller being held liable for placing a defective product into the hands of the consumer. Responsibility for a product defect that causes injury lies with all sellers of the product who are in the distribution chain. In general terms, the law requires that a product meet the ordinary expectations of the consumer. When a product has an unexpected defect or damage, the product cannot be said to meet the ordinary expectations of the consumer”
Is the IoT Endpoint Accurate?
IoT endpoints may not be accurate enough to make decisions using the IoT data. What if business decisions are made assuming their accuracy? The analytics will look good, but the raw data can be in error or devices can be hacked. I cannot confront the IoT endpoint itself, so who has the liability for errors: the endpoint manufacturer, endpoint implementer, the data analytics system, consultants, MSP, or the internal IT staff?
If the data is not accurate, and the organization makes decisions on faulty data, then who is responsible? Could the faulty decision lead to financial or reputation loss? What if someone was harmed because of the faulty data?
Who Does this Impact?
The chain of distribution for a product covers many organizations not just the entity that owns or rents the IoT devices including:
- Product manufacturer
- Manufacturer of component parts
- The product assembly party
- Product installer
- The wholesaler and the retail outlet that sold the product
IoT devices and the platforms supporting the IoT devices add elements that can change the product which include:
- The software that runs the product, whether it is provided by the manufacturer or uses third-party software
- Networks that provide connections to the product
- Its information security and access
- The organization that employs the IoT devices
The degree of liability may be hard to assign, so everyone may be sued and the courts will work out the degrees of liability.
IoT Liabilities issues are a Work in Progress
Those organizations that choose to implement IoT devices need to thoroughly analyze the agreements they have with their suppliers of products and services to ensure that they are not the only ones liable for IoT problems. It may be that in some cases the potential agreements with suppliers are biased to the point where the organization should not buy the products or subscribe to the service.
Edited by Ken Briodagh