The Financial Times recently reported that the Apple smartphone unlocking system was now used 11 million times at 1700 hotels across the US and Canada without being breached once! It is amazing what technology has and will connect. And of course, the resulting IoT (Internet of Things) exposure to litigation risk is increasing exponentially.
Four factors are driving this increase:
The expanding attack surface, coupled with the increasing sophistication of cyberattacks.
As connectivity reaches into power plants, pipelines, hospitals, and other components of critical infrastructure, the possibility of mass tort litigation involving connected devices is increasing. At the same time, IoT consumer class action litigation will soon be joined by derivative and securities lawsuits – respectively alleging that boards of directors failed to oversee product security in violation of fiduciary duties, or that company leaders made misrepresentations about the health of their organization in light of undisclosed vulnerabilities.
Increasing product complexity surrounding, software, components, and suppliers.
When products fail, litigation ensues and companies scramble to reduce and redirect liability. Software and connectivity issues that impair performance and lead to safety concerns will be difficult to sort out. It’s never easy to figure out exactly which component or software led to an issue. Even companies that do not manufacture IoT devices – but only use them – face potential risk from this expanding litigation.
The growing array of statutes and regulations governing data security and data privacy.
Plaintiffs are bringing suit against IoT device manufacturers for the allegedly wrongful collection or use of consumer data. For example, some of these suits allege that headphones have spied on listeners and that personal devices have inappropriately collected highly sensitive usage information. Such lawsuits also assert a wide range of claims – including for invasion of privacy, violation of federal and state wiretap acts, fraud, and breach of contract. Plaintiffs typically attempt to assert standing based on an alleged risk of future harm (e.g., that a hacker may exploit a security vulnerability in the future). A new wave of lawsuits is rapidly approaching – disputes that have standing because of real harm related to the theft of real assets and the increase of fraudulent liabilities.
Potentially critical safety consequences.
Class action suits based on allegedly deficient product security are increasing. Plaintiffs are bringing suit against manufacturers, alleging that various “smart” products contained security flaws. Plaintiffs allege only that such vulnerabilities have exposed the plaintiffs to a risk of future harm or deprived them of the value of bargained-for security.
The first wave of product liability attacks against IoT devices foundered on a basic legal problem: the products had not failed. Plaintiffs’ lawyers tried to create causes of action based on the potential for failure, but those claims were dismissed for lack of standing. We can expect that this will dramatically change in the near future when IoT is used to control operating systems. For instance, consider the potential liability when a hacker seizes control of a vehicle on a highway or changes the dosage or function of a medical device.
The IoT market is estimated to have reached 31 billion connected devices in 2020 and will grow to 75 billion devices by 2025. It is expected that 5G networks, artificial intelligence, robotics, and cloud computing will enable IoT devices to facilitate greater automation, faster decision-making using real time data, more human/robotic interaction, and more immersive experiences through virtual reality. Welcome to the next hotspot of litigation!