The Internet Of Things (You Can Sue About)

Partner in Reed Smith's Information Technology, Privacy and Data Security Group.

In a world where connected devices will soon outnumber connected users six to one, attention must be paid to the security of those connections. The security of the component devices of the Internet of Things has just started to become a matter of direct litigation, but has the potential to develop into a perpetual motion machine of lawsuits for the plaintiffs’ class-action bar. There will always be more component devices added to the Internet of Things; these will always be found to contain some level of vulnerability if hacked, probed, and pushed enough; plaintiffs hope, therefore, that they are embarking on an endless summer of product-linked cybersecurity class-action lawsuits.

No working device is perfectly secure. Certainly, no complex, connected device can promise to be forever immune to compromise. In 2014, aHewlett-Packard studyexamined common smart devices, including TVs, webcams, home thermostats, remote power outlets, sprinkler controllers, hubs for controlling multiple devices, door locks, home alarms, scales, and garage door openers. The study determined that the vast majority of these connected devices were subject to compromise, for failures ranging from weak passwords standards, to lack of encryption, to user interface vulnerabilities. The average device had twenty-five identified vulnerabilities.

A compromised smart TV is one thing, but other studies have shown that cybersecurity risks on the Internet of Things also run to vulnerable devices relied upon for health and safety. The FBI and TSA have issued warnings to be on the lookout for passengers trying to hijack in-flight entertainment systems to commandeer planes (although declaring the risk purely hypothetical). A recent study found that certain artificial pancreas, controlled by software, may be subject to wifi hacking, and similar allegations have been made concerning insulin pumps. Military drones deployed in combat situations overseas were hacked and disabled by the enemy via wifi. Products from baby monitors to security cameras to surgical robots have been hacked.

Now the plaintiff’s class-action bar is working to bring these ambient risks in the Internet of Things under the strict scrutiny of traditional product liability law. Asbestos and tobacco litigation has weakened, securities strike-suits are hampered, and the U.S. Supreme Court’sAliceruling has sent many patent troll suits back to Wonderland. Class actions over gotcha statutory damages are also under close review by the Supreme Court, and the plaintiffs’ bar is turning towards cybersecurity vulnerabilities.

For example, Helene Cahen of Berkeley, California is unhappy with her 2008 Lexus RX 400 H. Cahen filed a343-page national class action complaint against Toyota, Ford, and General Motors. An attentive reader could scour this Harry Potter-length pleading and would find no allegation that Cahen’s car caused her any physical injury or failed to work exactly as advertised.

Instead, this suit piggybacks on academic studies, press reports from hackers, and Congressional inquiry to allege that Cahen’s car, and millions like it with wifi features, are in theory vulnerable to remote compromise. In theory, per Cahen, a 2008 Lexus attacked with 2015 cutting edge-technology and know-how, could be caused to shut down its engines, slam on its brakes, or otherwise be hijacked.

Cahen’s basic legal theory is bone-simple: I paid more for the car than I would have had I known of this vulnerability. The car is worth less because the alleged vulnerability has not been fixed.

The plaintiffs’ class-action bar may soon apply that same damages theory in search of a real-world harm to any technology. I paid $X for a (any) connected device; a researcher claims they found a way to exploit some vulnerability; I am entitled to a refund. To the extent that an alleged vulnerability poses risks to life and safety, the manufacturers of connected devices will face not only financial arguments but arguments for recall or repair.

The disclosure of vulnerabilities in new products – or even in old connected products still widely used – seems likely to become a permanent feature of the Internet of Things economy. The worldwide black market for threat information, exploits, and specific attacks has become complex and mature. Arecent study by Lillian Ablon of the RAND Instituteshows that such hacker markets are now dominated by “financially driven, highly organized,and sophisticated groups,” complete with managers, quality control officials, technical support, warranties, and refund policies. The money to be made in finding and exploiting smart device vulnerabilities is a multiple of what could be made working for the manufacturer.

In addition, respectable academics, business competitors, and consumer advocates are continually testing for – and often finding – potential vulnerabilities in smart devices. The FTC and other data protection authorities are actively punishing companies who ignore reports of device vulnerabilities from any quarter. Both federal and state governments have launched recruitment campaigns to add government technologists to the hunt for defect.

For many companies, the call identifying vulnerabilities in a smart device to the government may literally be coming from inside the house. In April, the SECannounced its first enforcement actionagainst a company for using improperly restrictive language in a confidentiality agreement. SEC Chair Mary Jo White has promised similar action for other companies whose agreements have even thepotentialto stifle the whistleblowing process. Between this strong enforcement action and the ramped-up whistleblower awards now available, employees will have a strong incentive to identify vulnerabilities to the government.

AsCahenand other early cases are litigated, companies that manufacture connected devices can take some proactive steps. Ina speech this year to Carnegie Mellon University, FTC Commissioner Julie Brill urged companies to “adopt a policy of security by design, wiring security into their products at the outset, rather than as an afterthought. Technologists working on new devices should perform initial security risk assessments, test services for security flaws before they go to market, continuously monitor products throughout the life cycle, and, to the extent possible, patch known vulnerabilities.”

Even more fundamentally, companies must accept that the economic and cultural shift brought on by the widespread adoption of the Internet of Things require a corresponding change in cybersecurity risk management. Companies must move from breach readiness to vulnerability readiness. The challenge lies in being ready to address defects in smart components embedded in products already made, shipped, or sold. This struggle to define (and limit) the Internet of Things You Can Sue About is here to stay.

http://www.forbes.com/sites/danielfisher/2015/06/03/the-internet-of-things-you-can-sue-about/2/