The internet of things (IoT) , the ability of everyday objects to remotely connect to computers, promises connection, convenience and new market opportunities for manufacturers and developers.
For the users of smart devices and apps, the convenience factor comes with new risks unimaginable with 'dumb' devices, and for manufacturers too, the risk that customers and courts will hold them responsible for any losses suffered.
Once devices connect to the internet they are vulnerable to exploitation and can provide an unsecure point of access to a network.
Smart devices have been used to launch high profile distributed denial of service (DDOS) attacks, send spam emails, spy on families through baby monitors and toys, and steal corporate and personal data.
One such infamous case involved a casino getting hacked through its internet-connected fish tank. The potential for malicious hackers to obtain sensitive information and to disable valuable items (such as cars or computers) for ransom is widely acknowledged.
As technology expands with homes and workplaces become more connected, breaches will become more common and users may start looking to manufacturers for compensation.
Several avenues are available and we consider potential liability in negligence and also under the Privacy Act.
Manufacturers' product liability
For a manufacturer to be liable in negligence to a consumer, it must owe a duty of care in relation to the kind of harm that eventuated.
A range of circumstances will be relevant to whether a duty of care exists, including any marketing material about the device, the degree of risk, the ease with which the manufacturer could provide protection, and the steps open to consumers to protect themselves.
The law does not usually require somebody to take action to prevent harm caused by the deliberate misconduct of third parties.
However, where the malicious action is a known risk, as it surely is in the IoT, courts may well conclude that some minimum level of security is required in order to safeguard consumers, especially where users have little ability to take steps to protect themselves from risks created by devices.
Manufacturers may also owe a duty to entities affected by DDOS attacks which exploit vulnerabilities in smart devices to swamp a website and render it inaccessible.
There are complexities to such claims, but DDOS attacks can cause serious financial losses and the risk of smart devices being exploited in this way is well-known.
Organisations affected by such attacks, unable to hold the perpetrators accountable, may seek to recover from the manufacturers of poorly secured devices that enabled the attack.
Smart devices could also involve manufacturers in liability under the Privacy Act. Agencies that collect information, including through smart devices, must ensure that reasonable security measures are taken to prevent loss, disclosure and other misuse of the data. Liability may be found even if the victim of a data breach suffered no financial loss.
Whether the duty applies in negligence or under the Privacy Act, the security required will depend on the circumstances, including the sensitivity of the information being collected.
Devices that monitor and collect health information, or keep financial information, will be held to a higher standard than other devices, but manufacturers should not assume that apparently "mundane" information is "safe".
Even seemingly innocuous data can be combined to reveal personal and sensitive information, or to help deanonymise data.
What can companies do to protect themselves?
In determining whether a duty has been breached, courts will likely look to industry standards and recommended practices. Manufacturers concerned about their liability should do the same.
In addition, ensuring that devices only collect and store relevant data, and that redundant data is not retained, will reduce the scope of potential data breaches.
Finally, manufacturers and suppliers should consider whether their insurance provides cover for liabilities of this kind.
This article was first published by CIO New Zealand and available to view here.
This article is intended only to provide a summary of the subject covered. It does not purport to be comprehensive or to provide legal advice. No person should act in reliance on any statement contained in this publication without first obtaining specific professional advice. If you require any advice or further information on the subject matter of this newsletter, please contact the partner/solicitor in the firm who normally advises you, or alternatively contact one of the partners listed below.