In the race to innovate, every seller of goods and services wants to offer “smart” connected devices capable of remote control via mobile devices. The smart-device economy is known as the Internet of Things, in which consumer and industrial devices (and product controls) contain embedded microprocessors and connect to the Internet.
Internet of Things devices include automobiles, drones, household lighting and appliances, household locking systems, LED light bulbs with remote controls, surveillance cameras and even talking teddy bears and motorized toys.
Under the common law principle of strict products liability for sellers of inherently dangerous products and services, a seller, or supplier in the supply chain, is personally responsible for injury and property damage caused by an inherently dangerous product. Seller liability can arise from faulty design, faulty manufacture or failure to warn about nonobvious defects. This principle could be extended to service providers using smart tools.
Recent hacking of a Jeep automobile and interference by recreational drones with aerial firefighting and commercial aviation have inspired a legislative codification of the common law of a seller’s tort liability for placing inherently dangerous products into the marketplace. Virtually every merchant selling Internet of Things goods or services needs to conduct a self-assessment to manage potential liability. Failure to do so would be a criminal offense, if pending legislation is enacted.
Globally, cyberhijacking (or cyberjacking) of Internet of Things devices has become a national security concern. Recently, French police engaged in tests to defend against unauthorized aerial drones, using military measures such as radio jamming. Eighteen draft bills pending in the U.S. Congress would regulate drones to address aviation safety, privacy, data security and domestic military uses of drones.
In July, U.S. Sen. Bill Nelson, D-Florida, introduced legislation, the Motor Vehicle Safety Act of 2015, to provide greater transparency, accountability and safety authority to the National Highway Traffic Safety Administration and other federal agencies. Generally, the law would impose duties to warn and publicize accidents and serious safety dangers from all products (not just motor vehicles) and services in interstate commerce.
Civil and criminal penalties would apply to violators. Foreign governments would be asked to cooperate, since foreign products and foreign components are targeting the U.S. marketplace. Although this act was drafted principally to cover motor vehicle safety, the draft incorporates and updates portions of a draft bill introduced in July 2014 by Sen. Richard Blumenthal, D-Connecticut, to establish criminal penalties for failing to warn of serious dangers.
AREAS OF FOCUS
Here are three areas to focus on:
First, keep your products safe and smart. Ensure that smart features are independent and cannot cause loss of control by a consumer or third party. Separate “toy” functionality from “command and control” functionality. Use a smart core software application with robust security controls for embedded applications. Design the product or service to anticipate situations in which communications links might be broken or altered.
Be aware that smart devices can generate data that may include protected personally identifiable information. As for any other Internet tool, “design for privacy” to minimize risks of data security breaches from operator mistakes and malicious hackers.
Enable systems to take instructions only from one source, not from connected sources that might be interdependent.
Route the remote commands through a company or third-party services check for malware and authenticate the source of instructions.
Second, alert consumers. Provide a written waiver of claims after disclosing information about a product’s potential liability. This enables the consumer to give informed consent and expressly assume the risks. (And tell your shareholders if you are a public company.)
Enable the customer to disable the smart features that use software and telecom. Offer a kill switch. Allow the consumer to remove the smart brain.
Include consumer instructions about common mistakes that expose information technology and telecommunications to unauthorized access. This can include encryption and password management.
Third, manage your brand. Develop industry-standard protocols for minimum levels of security. Understand the limitations of certification. Adopt standards under the advice of an industry technical consultant, and go to the International Standardization Organization’s compilation of industry standards, identify relevant standards and build your business on compliance and certification with these standards.
Review your advertising. The Federal Trade Commission and local state attorneys general have jurisdiction over false and misleading advertising. If you make or sell a smart product, you need to include disclaimers that identify risks of hacking and why you believe the product is relatively safe despite such risks.
Demand that your in-house teams and your suppliers’ teams commit to cybersecurity, with compliance with defined minimum protocols. Manage cybersecurity as part of the product life cycle, just as you do for design defects.
If you manufacture unsafe consumer products, the Consumer Product Safety Commission, National Highway Traffic Safety Administration and other agencies can make you recall and replace the defective units. Be ready for the process. Get informed and have a disaster contingency plan.