This summary follows a recorded presentation by Dentons partners Sarah Carlson and Chloe Snider for the Practising Law Institute.
A. What is the IoT?
The Internet of things (IoT) refers to interrelated devices that can be connected to, or controlled by, the Internet. As the Federal Trade Commission (FTC) has explained, the IoT is "an interconnected environment where all manner of objects have a digital presence and the ability to communicate with other objects and people."1The Canadian Office of the Privacy Commissioner (OPC) has provided a similar definition: the IoT "is the networking of physical objects connecting through the Internet."2
There is a big market for IoT devices. As of October 2019, the global IoT market was expected to grow to US$212 billion by the end of 2019. The technology reached US$100 billion in market revenue for the first time in 2017, and forecasts suggest that this figure will grow to around US$1.6 trillion by 2025.3
B. Why should lawyers care? Why is the IoT a hot (in our view at least!) legal topic?
Developments in technology may be moving faster than the law, by creating uncertainty and risk. There is not yet a body of jurisprudence that tells us who is going to be liable for what when it comes to failures or breaches of IoT devices.
For example, in Canada, the OPC has said that accountability "may be easier said than done in the Internet of Things environment when there is a multitude of stakeholders, such as device manufacturers, social platforms, third-party applications and others" and has asked questions about "who is ultimately responsible for the data" for smart devices. The owner? The manufacturer? The third party storing data? The developments of the software or algorithm (for machine made decisions)? Or some combination?4
These questions remain unanswered from both regulatory and litigation perspectives. For "dumb" devices, product liability is less complicated and the framework is well established.
II. Litigation Risks
A. General Theories of Litigation - What are we likely to see?
Product failures or vulnerabilities of IoT devices may lead to litigation over claims of privacy and data security, product liability, false advertising, unfair and deceptive trade practices, fraud and contract, including in the class action context. Some examples of claims categories follow:
- Privacy and data security: There have been, and we expect there will continue to be, litigation regarding alleged privacy breaches, including: (i) cases involving a third-party hacker that has obtained access to personal information collected through a smart device; and (ii) cases involving allegations that a company has collected information and used it for improper purposes (e.g., selling it to a third party) or has failed to disclose that it is collecting a certain type of information.
- Product liability: If the failure of an IoT device results in physical injury or property damage, product liability litigation is likely to follow. This will require that courts revisit more traditional product liability frameworks. For example, US courts in assessing strict product liability, have traditionally considered hardware to be a product and software to be a service (excepting software from strict-product-liability regimes). We have yet to see, as a matter of consistency, how the law will adapt in the IoT context.
- False advertising, unfair and deceptive trade practices, and fraud: As in most cases that involve product marketing, we expect to see allegations regarding false advertising, unfair and deceptive trade practices, and fraud. We anticipate that litigation will stem from alleged failures to make proper disclosures, including about the use of data, or from alleged misrepresentations about the usefulness or benefits of IoT devices.
B. General Theories of Damages – What are they going to demand?
We expect to see plaintiffs seeking, among other things: (i) compensation for property damage; (ii) compensation for personal injury (to anyone injured by product); (iii) compensation for diminished value/overpayment for product; (iv) compensation for emotional distress (in some jurisdictions); (v) cost of repair; (vi) contractual damages; (vii) (in Canada) moral or symbolic damages for breach of privacy; and (viii) punitive damages.
C. General Defenses/Strategy Theories
Defenses will need to be tailored to the precise claims made but will likely be grounded in: (i) End-user license agreements (EULAs); (ii) clear and conspicuous privacy policies seeking consumer consent; (iii) arguments relative to standing; (iv) argument involving the economic loss doctrine; (v) general defenses to class certifications; and (vi) many others depending on the precise nature of the claim.
III. Regulatory Activity
In addition to civil litigation exposure, smart device manufactures should also pay attention to regulatory risks and what regulators are saying and doing in this space.
Numerous US regulatory agencies, including the Consumer Product Safety Commission (CPSC), the FTC, the National Highway Traffic Safety Administration (NHTSA) and the Food and Drug Administration (FDA), to name a few, are working to develop IoT frameworks.
In Canada, the OPC has also expressed interest in regulating this area and released a lengthy study highlighting that "[i]nformation collected by sensors within objects that are connected to each other can yield a tremendous amount of data that can be combined, analyzed and acted upon, all potentially without adequate accountability, transparency, security or meaningful consent" and raising myriad privacy implications: 5It has already investigated at least one IoT company. 6
It is likely that the provincial privacy regulators will also likely be interested in the area. And, given the various issues that arise in this space, other Canadian regulators, like the Competition Bureau (which is focused on how data affects antitrust issues), could also be relevant.
In the US, though federal IoT legislation is being considered (and has been for several years), there is currently no federal law mandating, for example, national standards for IoT security. There are state laws, the first of which (in California and Oregon) took effect in January 2020. We expect that more states will enact legislation to regulate the security of connected devices.
In Canada, there is no legislation yet that would specifically address the IoT; however, Canada's "Digital Charter" outlines what Canadians can expect from the federal government in relation to the digital landscape, as does Canada's Personal Information and Electronic Documents Act(PIPEDA) modernization framework, released in May 2019.7
V. Global Cooperation
IoT security is a global issue. In July 2019, there was a meeting in London of the Interior, Homeland Security and Public Safety Ministers of Australia, Canada, New Zealand, the United Kingdom and the United States to discuss "common security challenges with regards to the loT, and how we can best protect our citizens from cyber threats."8 The following November the Australian government released a draft code of practice for securing IoT devices, which demonstrates the types of draft codes or legislation that may emerge.9
While we must calibrate against a large unknown, there are many things that companies can do to reduce exposure. For example:
- On the front end, companies should plan and determine in advance how devices will collect and disseminate. Companies should test their devices, including the security measures of those devices, and consider how patches and updates will be handled.
- From a product liability standpoint, companies should analyze potential risks and hazards during the design process and should incorporate the appropriate warnings into their instructions collateral.
- Policies and contracts are also important. Companies will need, for example, privacy policies and emergency response policies. Efforts should be made to drafting strong EULAs and vendor contracts (with risk-allocating provisions).
- Companies should focus on employee training will and making sure that a qualified individual is charged with IoT compliance duties.
- Companies should do what they can to ensure that IoT devices will be supported over time.
- Companies should consider the statements made on packaging, in advertising and on social media.
- Companies should commit to an ongoing, regular reviews, whether they be of security measures, privacy policies, changing legislation or vendor performance.
- Companies should consider selecting the right insurance policy.
4. OPC research paper, supra note 2.↩
5. OPC Research Paper, supra note 2. ↩
Dentons is the world's first polycentric global law firm. A top 20 firm on the Acritas 2015 Global Elite Brand Index, the Firm is committed to challenging the status quo in delivering consistent and uncompromising quality and value in new and inventive ways. Driven to provide clients a competitive edge, and connected to the communities where its clients want to do business, Dentons knows that understanding local cultures is crucial to successfully completing a deal, resolving a dispute or solving a business challenge. Now the world's largest law firm, Dentons' global team builds agile, tailored solutions to meet the local, national and global needs of private and public clients of any size in more than 125 locations serving 50-plus countries. www.dentons.com
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances. Specific Questions relating to this article should be addressed directly to the author.