Sky rocketing risks caused by escalating numbers of smart and dumb things connected to the internet can break you in four ways:
- as a producer of the things, you can be sued to bankruptcy by consumers;
- as a CEO or board member, you can be sued by your shareholders;
- as a person, you can lose your privacy; and
- as a supplier, you can be sued by your customers.
What is the criteria for liability?
Now that we are well into what Porter and Heppelmann in 2014 described as the third wave of IT, we see the number of internet-connected smart products exploding, just as these authors predicted.1/2
Bathroom fans, door locks, barbecue grills, pacemakers and light bulbs are but a few of the newcomers. Power grids, factory machinery and cars are becoming oldtimers. Prices on equipment, processing power and bandwidth have dropped so low, while capacities have increased so much, that only our imagination limits the application of things connected.
But what if you’re hit by a cyberattack that shuts down an essential service or product your business relies on? After days investigating, you realize your organization is exposed to several hidden risks and for who knows how long. What happened and who is liable?
Hardly a day goes by without news of a new data breach or cyberattack. One much used method is the botnet attack. Botnet attackers may use everything from bread toasters to routers to launch massive, distributed denial of service attacks (DDoS) on any target. A large one may shut down important infrastructure, such as what the Mirai botnet attack did with newspapers, television, Twitter, Netflix, and more in 2016.3
Who pays the price for IoT insecurity?
Internet security has become a key technical and legal issue with the rise of the IoT. Unfortunately, the suppliers of the things and systems have been unable to provide the security users need to mitigate the huge risk caused by intense criminal activity and high vulnerability. The grand question is, therefore, who will carry the burden of this rapidly growing risk of insecurity?
There are four legal justifications for establishing product liability:
- culpability (negligence)
- contractual liability
- non-statutory strict liability
- statutory strict liability (Product Liability Act/Directive [PLD])4
These four can break you as a company, CEO and board member. As a consumer or individual, they can be tools used to fight back. In this article we will focus on the particular risks associated with strict liability under the product liability regulation.
Recognizing lack of security as a defect
Under the European Union (EU) system, product liability means that a producer of things of the internet is strictly liable (liability without fault) for so called safety defects inflicting damage or death on:
- natural persons, and
- property meant for private use or consumption4.
How safe must a toaster be?
A product is defined under the directive as any device or “thing,” or a physical object -- including any item incorporated into other things or real estate. Even garbage is included in the EU definition of product, if sold.
The key question is what is deemed a safety defect? A product has a safety defect if it “does not provide the safety which a person (and the public at large) is entitled to expect.”5 An objective assessment should be done.6 Individual ignorance or misconception will therefore not free the producer of liability.
In addition to explicit communication related to the product, the type of device may affect expectation. In the Boston Scientific case, the European Court of Justice (ECJ) stated that persons are entitled to expect "particularly high" safety requirements for products, such as pacemakers, because of the "particularly vulnerable situation" of patients implanted with such devices.7
What if software causes the safety defect?
A security defect in connected things is often related to insufficient security of controlling software. Things such as door locks, fire alarms, cars or refrigerators may not in themselves be insecure. But with the wrong kind of controlling logic, a lock may open, a fire alarm may not go off, a car may crash, and an ice cube machine may start a fire.8 This separates internet things from, say, a knife.
Software controlled things were not high on the agenda when the 1985 product liability directive was conceived by the EU in the early 1980s. Software is not even mentioned in the directive. A product is defined as “all movables, with the exception of primary agricultural products, even though incorporated into another movable or into an immovable.”
The EU Commission acknowledged the ambiguity in its thorough evaluation published in mid 2018.9 The ambiguity is also criticized by the European Consumer Organisation.10
Because we lack clear wording, guidance and case law, we will have to lean on other considerations, just like the courts will have to. The word product is, as mentioned, to include all “movables,” with some exceptions. The wide definition does not exclude software, even if movables point in the direction of a physical object.
For the consumer and public, however, it makes little practical difference if software controls the things we buy. The purpose of the regulation of product liability is to protect users from danger. Introducing software control doesn’t reduce that need. If software-induced damages are not covered by the regulation, the rules would be rendered useless in an increasing number of cases. It could in fact be used as a loophole.
On the other hand, makers of products need clear notice of potential liability. Even if the reach of the European rules is not entirely clear, it should come as no surprise if a court holds a producer liable also for damages caused by the controlling software. The message to producers should therefore be clear enough.
Excluding software-controlled products from liability would also mean having to differentiate between cases where the physical product itself is dangerous, and cases where the danger is caused by the software. In some cases, the cause may also be mixed. Simpler enforcement will therefore favor including software in the definition of product. Given the wide definition of product, the purpose of the regulation and enforcement considerations, I believe a European court likely would conclude that controlling software is part of the product.
When must the product be safe?
The Product Liability Directive (PLD)4 states that defects should be assessed at the time the products are put into circulation, in practice, at the time of sales.11 How will that work if the software causing the danger is installed after the sale has taken place, as is the case with updates?
On the face of the wording of the directive, liability may be excluded for subsequent danger-inducing changes and upgrades. It must be clear that later changes done by someone other than the producer, will not cause liability for the producer, unless the ability to make a product insecure, is in itself a safety defect.
This after-sale potential danger is a new situation, not thought of in the early 1980's and identified as a weakness in the directive.12 However, if the purpose of the directive is to be achieved -- namely to “protect the physical well-being and property of the consumer”-- such later updates cannot exempt the producer from liability. This is also in line with article 1 of the PLD4 that states; “The producer shall be liable for damage caused by a defect in his product.” Still, there is no denying the ambiguity increases the importance of the other legal three justifications for establishing liability mentioned above.
Three caps on liability
Producers of things of the internet are offered protection by the following:
First, safety standards applicable only at the time the product was put into circulation will apply.8 Higher standards introduced at a later time will not be the yardstick to which an older product is held, even if software updates may take place. This means that that even if a product could have been made safe under today’s standards by a software upgrade and is not, the producer will not be liable under the directive. Instead the person at loss will have to rely on the tort system: It may be negligent not to correct a security defect when potential consequences are considered. Or contractually the agreement may state that the producer shall keep the product safe by way of software updates.
Second, the double time bar system of the directive means that no claim may be presented later than:
- three years after the claimant “should reasonably have become aware of the damage, the defect, and the identity of the producer;”
- ten years after the product was put into circulation.4
Third, the damage is subject to a 500 Euro threshold (PLD article 9) 4 which means a safety defect that causes a high number of claims from low individual product value may not hit the producer. In the age of class action, this may constitute a significant limitation of liability for producers of low cost products -- which is criticized by consumer advocates.
Who may become liable?
In short, almost anyone involved in the distribution of the things may become liable. The producer is defined widely in the directive, as the :
- manufacturer (finished product or part);
- organization offering a product for sale under its own name;
- reseller if the manufacturer is hard to identify; and
- importer (PLD article 3)4
This means that the whole chain of companies making or contributing to the distribution of the product may become liable for unsafe aspects of the product. Claims from the customers cannot be limited. However, it may be regulated between the parties in the chain of distribution -- a point you always need to consider when drafting such contracts.
Data protection and IoT
The long-awaited EU e-Privacy Regulation regulating the communication side of data privacy will increase potential liability further, because it contains direct regulation of “terminals” – also things of the internet.13 The e-Privacy Regulation quite simply refers to its bigger sibling, the General Data Protection Regulation (GDPR) for sanctions, so be aware.
If the supplier processes personal data or has access to it for maintenance or otherwise, the supplier will be considered a data processor and the GDPR applies directly. Even a software maker that does not process the personal data may become liable by way of the contract if the requirements for “privacy by design” or information security in the contract are not met.
The requirement for “information security” in the GDPR article 32, is a key requirement, making it another reason for ensuring connected things are secure. The potential for huge fines is well known -- up to 4% of yearly turnover for the entire enterprise (GDPR article 83).
Related, and perhaps more practical, is the risk of
- class action claims from data subjects (persons),
- damaged goodwill,
- reduced revenue, or
- claims from customers.
Class action Under the GDPR the persons to which the data relates can claim both the data controller and processor for monetary and non-monetary damages (GDPR article 82). Just as numbers of affected persons can be huge, so can be the claims typically presented through class action.
Imagine 2,000,000 users being awarded 150 dollars each. A payout of 300 million dollars may be enough to bankrupt even midsized companies. If data subjects can show financial loss, these numbers may increase dramatically.
This strict liability shall, under the GDPR, be allocated between the controller and processor “corresponding to their part of responsibility for the damage.” Only if a party “proves that it is not in any way responsible,” will it escape liability.
Damaged goodwill is more likely a consequence of a large and public data breach than is class action. Because many businesses' main currency is trust, lost goodwill can mean reduced revenues and with it, lost stock evaluation. Add cost of public relation efforts, other corrective actions, legal assistance and notifications -- and costs quickly pile up.
Claims from customers of any supplier responsible for providing the required security may very well hold its suppliers liable for all of the above. If the security norm is overstepped or ignored and casual connection for it can be established, liability may quickly follow.
Lack of product safety may have carryover effects. One, as mentioned above, is contractual liability for a producer -- whether caused by software or things. A second is personal liability for negligence of leading officers in an organization that does not provide the required security.
Consumer protection – a new deal
In the EU there is substantial consumer protection regulation including protection for a number of things that may be connected to the internet.14 This regulation is expected to be strengthened further with the various measures as part of the so called ‘new deal for consumers' package of measures.15 Of the existing measures, the United Nations Convention on Contracts for the International Sale of Goods in 1980 -- later implemented into Sales of Goods acts in the various EU/EEA countries -- should be mentioned.16/17
New safety laws
Due to the new situation created by IoT and other technological developments, new security legislation is being prepared. The best know may be the directive on security of network and information systems (NIS Directive).18
Both consumer protection and security laws will likely increase the risk to producers, because both may raise the bar against which the security level of a product will be measured.
What to do? - SAFETY FIRST!
As this article shows, safety requirements are the great common basis for liability. The first thing to do is to make your product safe. Establish and document:
- product development processes for built-in safety and data protection
- rigorous quality and safety testing and management
- clear placement of responsibilities within your own organization
- other required policies communicated
- third party audits conducted
The board of directors should instruct the CEO of the above. The CEO must in turn act to embed the same in his or her organization. Both need to follow up on implementation in a structured manner.
No matter how you execute even the best plan, risk will remain. Such risk may now, to a large extent, be insured. Use a competent insurance broker to put in place at least:
- board and CEO insurance
- product liability insurance
- cyber insurance (with crime coverage)
- professional liability insurance
Acting on the above should protect both the company, the board and management, and ensure many good nights of sleep.
ABOUT THE AUTHOR
Attorney-at-law Kristian Foss (firstname.lastname@example.org) is partner in Bull & Co Law firm, Oslo, Norway, former in-house counsel in leading IT supplier EVRY and member of the Expert Committee for IT law at the Norwegian Centre for Continuing Legal Education. He has more than 20 years of experience with technology and contract law.
- How Smart, Connected Products Are Transforming Competition by Harvard Business Review, Nov 2014, Michael E. Porter and James E. Heppelmann
- Definition: Connected smart productsthat comprise the Internet of Things (IoT) or things of the internet refers to interconnected computing devices that can send and receive data through the Internet.
- Guardian article titled DDos attack that disrupted internet was largest of its kind in history experts say
- Product Liability Directive 85/374/EEC – Liability for defective products of 25 July 1985on the approximation of the laws, regulations and administrative provisions of the Member States concerning liability for defective products. Covering also the EFTA countries of Iceland, Liechtenstein and Norway, collectively the European Economic Area (EEA). See also 1 cf. art. article 9 of the Product Liability Directive (PLD) and PLD ART 10
- PLD article 7 (1) and its preamble
- Norwegian Supreme Court case Rt 2004 s 122 para 33 SAE explained: Understanding SAE automated driving – levels 0 to 5 explained. The standard: Taxonomy and Definitions for Terms Related to Driving Automation Systems for On-Road Motor Vehicles J3016_201806. Other standards exist too.
- Boston Scientific Medizintechnik GmbH v AOK Sachsen-Anhalt Die Gesundheitskasse (C-503/13) (premise 39)
- Ref: Endnotes Norwegian appeals court Norway, 2018 [LA-2018-82379] damages of 10,8 MNOK (1,27 MUSD) awarded.
- PLD article 6 (1) b) and 7 b
- Evaluation of Council Directive 85/374/EEC of 25 July 1985on the approximation of the laws, regulations and administrative provisions of the Member States concerning liability for defective products concluded: “The Conference on the Evaluation of the Product Liability Directive gave the opportunity to confirm the need to pursue the reflection on the future of the Directive in order to ensure legal certainty, in particular in relation to its application to new technologies, such as Artificial Intelligence systems and advanced robots and internet of Things.”
- http://www.europarl.europa.eu/legislative-train/theme-connected-digital-single-market/file-jd-e-privacy-reformand https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=COM:2017:0010:FIN . Now under final negotiations.
- Directive 2001/95/EC https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX:32001L0095 and Directive (EU) 2016/1148 https://ec.europa.eu/digital-single-market/en/network-and-information-security-nis-directive
Reference: See also white paper titled How insecure things of the internet can break you, by Kristian Foss, Bull and Co, Norway, February 2019.