Litigating the Internet of Things
April 20, 2017
Let’s say you manufacture a connected oven, and the six o’clock news runs a story in which researchers claim they can remotely access and turn on the broiler. Anyone exploiting such a vulnerability would be committing a felony, but luckily, no exploit happened. But before you know it, you are slapped with a class action lawsuit claiming economic injury because some consumers would not have bought the oven if they knew it was “defective”—i.e., that it was susceptible to potential third party “hacking.”
As far-fetched as such lawsuits might sound, they may become more common. Everyday devices – cars, home lighting controls, alarm clocks and fitness trackers– are now connected to the Internet. These “Internet of Things” (IoT) devices, like smartphones and laptops, are under scrutiny by ethical and no-so-ethical hackers, and may be vulnerable to evolving threats. And where there’s an issue affecting large numbers of consumer products, litigation looms. This litigation, however, comes at the cost of important progress.
Two cases highlight the litigation potential facing IoT manufacturers and sellers when it comes to security. In Cahen v. Toyota Motor Corp., class-action plaintiffs claim that vehicles contained electronic control units that could be hacked, and seek money damages despite there being no actual exploit or breach. A district court in California dismissed the suit for lack of standing, but its decision is on appeal at the Ninth Circuit. The case has been argued and is awaiting a decision.
Similarly, in Flynn v. FCA US LLC, plaintiffs are suing Chrysler over alleged vulnerabilities in their cars’ uConnect system that they claim could allow hackers to take control of the vehicle. A number of their claims were dismissed for lack of standing, but others remain pending.
Cases like this may be just the start. Unless courts and policymakers draw sharp lines, as connected devices are deployed, the likelihood of such lawsuits only increases. Litigation may require courts to set new standards and de facto regulations that will shape the future of the Internet of Things. But is this a job for courts?
The entry of federal courts (or arbitrators for those companies that can effectively deploy arbitration clauses) into this fast-moving and technical space might not be a welcome development. Although courts have an important role to play generally, they are not the best place to develop technology policy. Lawsuits are limited to the parties and evidence specific to that case and offer little to no opportunity for the public to participate. Plus, the judiciary does not have the expertise to develop standards to make devices more secure. Yet the outcome of these lawsuits have serious implications – establishing new standards and responsibilities for the private sector. Rulings—or jury verdicts--might resolve the case, but could have industry-wide implications that slow innovation in a burgeoning industry.
Contrast this approach with what the government is doing. Government agencies, such as the NTIA, the FTC, and NIST, are evaluating the market and developing best practices for IoT technology. Congress is setting up caucuses and working groups to study these issues and avoid a rush to regulation. Agencies have convened working groups of experts and held open forums where stakeholders discuss challenges and desired outcomes. These public efforts have resulted in dialogues between manufacturers, cybersecurity experts, and consumer groups, and can lead to recommendations and best practices that have broad support and create space for manufacturers to continually address security.
Ironically, litigation over product security may ultimately make devices less secure. As my colleague Megan Brown discussed at a recent U.S. Chamber of Commerce panel, the risk of litigation may chill needed communication and collaboration. The fear of civil discovery might discourage a software designer from discussing a vulnerability with a product manufacturer, or make companies hesitant to engage security researchers. This destroys the collaboration and sharing that will make the ecosystem smarter and safer.
The Internet of Things offers an exciting new world. But like any new field, there are new risks that need to be addressed. Devise security is one such risk. As Tom Donohue of the Chamber of Commerce notes, “the right legal and regulatory framework plays an important role in making new technologies safe and secure.”
Thankfully, industry and government understand this need and are developing that framework, based on partnerships and collaboration. But if we’re not careful, litigation could slow this important progress. We should be wary of letting courts hack into this regulatory space.