The Internet of Things (IoT) has introduced the world to a legion of so-called “smart” devices that drive an increasingly connected consumer to a global network of information and data. For the consumer, the advent of connected cars, home appliances and wearable devices is a revolution in taking control of our environment. For the manufacturer or distributor of such devices, however, the legal framework applicable to the IoT remains new and relatively unformed. The sheer number of IoT devices, the incalculable variations on how they can be networked, and the kind and amount of data they gather are nothing short of revolutionary. Undoubtedly, the law will take some time to catch up with the revolution. There are sound principles, however, that can help avoid or manage the risks associated with claims arising out of device failures or data security issues.
We will address below several measures that, taken singly or in combination, can mitigate the risks that these new devices may pose for manufacturers. These recommended measures are divided into consumer-facing or business-to-business (B2B) approaches. The goals behind them all are the same, however: to reduce risk through known and familiar legal measures that consumers, business partners, and courts recognize and can evaluate based on the context of the particular transaction.
The notions of transparency and clarity should guide any disclosures to consumers, who may not understand the ins and outs of a “smart” device and the problems a failure in it could cause. The newness of IoT devices may support a consumer’s argument that the risk of certain device failures leading to a privacy breach or other harm is not foreseeable to the consumer and thus should be allocated to the manufacturer. Potential claims may be avoided through effective user instructions and warnings, either by preventing an accident or product misuse in the first place or by providing a defense to a claim for inadequate warnings.
For example, a traditional clothes washer comes with warnings about electrical fires or floods due to failure or unauthorized maintenance. Likewise, the added “smart” functions should be thought through and addressed in the product use instructions and warnings. For example, compatibility and networking limitations should be clearly disclosed: if a product is designed only to work with (or is optimized for) a certain generation of browsers, WiFi standards, or end-user devices, that should be stated in the product literature (along with warnings of what might result from use with nonapproved components: security failures, performance slow-down, or other). If the device could be made less susceptible to failures by requiring operator security measures such as passwords, software upgrades, or retirement after a certain lifespan, in addition to warnings, the manufacturer should consider building corresponding operational limitations into the device.
In addition, any data-gathering function should be clearly disclosed even if it is separate from potential failures of the device in a traditional products sense. Consumers may not associate their new appliance or device with any privacy concerns. Privacy claims often are based on alleged per se violations of a statute or regulation (such as the General Data Protection Regulation fines assessed against Google in January 2019). Having an app associated with the device or allowing voice commands via a digital assistant, for example, allow robust data gathering and use that benefits both the consumer and the manufacturer; however, without some disclosures, it may not be clear to the user that the app or assistant is “listening” or monitoring use.
Finally, there are issues of an IoT device that may bridge the gap between traditional products liability and privacy. If the manufacturer monitors that new washer remotely for failures such as flooding, for example, there should be a clear disclosure of both the fact that the machine is monitored and the nature of any warnings or communications that will occur in case of failure: text message using consumer-provided phone data, for example, or email to the consumer’s provided address. (The manufacturer also needs to consider whether any remote monitoring or diagnostic programs create greater liability exposure, or trigger regulatory reporting requirements, by making individual device failures known to the manufacturer.) Likewise, if one consequence of security failure could be that a hacker exploits a device such as your new washer to compromise your network or the data and accounts on it, that potential (and available means to reduce the risk) should be addressed in the product literature.
In short, the terms applicable to “smart” products may need to do more than traditional product manuals have done. They offer a chance to educate consumers about the hybrid nature of these devices, which can pose products liability issues (personal injury, property damage) just like their analog counterparts, and which can also add 21st century privacy and data loss issues if the consumer does not properly secure them. Clear and explicit warnings and disclosures can forestall not only traditional products claims, but may also be helpful if a networked device is implicated in a privacy issue.
The issues associated with B2B and IoT devices are in many ways more clear. They also create greater potential financial exposure under current common law, however: for example, Target and Wendy’s paid many times more in settlement with commercial partners following high-profile data breaches than they paid to the class of affected consumers. (Note, however, that both breaches pre-dated the EU and California privacy rules that impose high potential fines and statutory damages for breach.)
Returning to our example of a “smart” clothes washer: there may be B2B arrangements in its manufacture, distribution, and installation/service/maintenance that offer opportunities for the manufacturer to shift risk to partners (and vice versa). Fortunately, the mechanism for such measures is familiar: the agreements governing those relationships. Many of these agreements can be tailored for both common law and regulatory/statutory exposure in the privacy area, just as they traditionally are for products liability and service claims.
Common measures that could help apportion liability in case of a privacy failure include the following:
- Security reps and warranties from suppliers of electronic parts, app developers, and any contractor who will be present in the home of the consumer;
- Covenants from suppliers, distributors, and service providers to keep consumer data secure and confidential and to take measures to prevent its unauthorized use, access, and disclosure;
- Covenants from suppliers to notify the manufacturer and to investigate security breaches involving component parts or any after-market services, and to cover the manufacturer’s direct costs associated with any breach involving customer data;
- Data processing agreements (or data transfer agreements for any cross-border sales or distribution arrangements), if distributors or service providers will be processing any consumer data;
- Requirements that suppliers and service providers have their own privacy policies relating to consumer data, and that they maintain internal information security programs that meet the manufacturer’s standards;
- Defining any customer data at issue in a supplier, service provider, or distributor agreement as protected Confidential Information of the manufacturer;
- Robust indemnity clauses relating to product failure, part failure, and issues with performance of services, specifically addressing data loss, privacy, and related claims
- Ensuring that limitations of liability do not limit indirect damages for third-party claims based on data and related losses; and
- Ensuring that any business partner who collects consumer data has the requisite consent or other legal basis to do so.
There is, of course, no “litigation-proof” way to design or distribute any new product or service. In addition, the IoT is likely to bring forward novel claims of liability and novel applications of existing case law. This is especially true considering the emerging field of consumer-focused privacy protection. For the meantime, however, manufacturers would do well to educate themselves on the privacy and security implications of their devices. This will allow them to address potential issues in the design phase, warn consumers about the risks new devices may pose, and provide effective instructions for use, disclose and (to the extent possible) disclaim potential risks, and allocate liability for failures among other participants in the commercial efforts to put these new devices on the market.
Donald P. Boyle Jr., Mitzi L. Hill, LeeAnn Jones and Jonathan B. Wilson are partners in the law firm of Taylor English Duma.