logo

Legal Liability for IOT Cybersecurity Vulnerabilities

Conference:  BlackHat USA 2018

2018-08-09

Summary

The legal system and lawsuits will play a significant role in regulating IoT cybersecurity due to the lack of effective statutes and regulations. Product liability lawsuits will focus on identifying the actors responsible for ensuring product safety and imposing liability for unsafe products.
  • The legal system and lawsuits will be important in regulating IoT cybersecurity
  • Statutes and regulations are not effective due to the complexity and rapid evolution of IoT technology
  • Product liability lawsuits will focus on identifying responsible actors and imposing liability for unsafe products
The speaker provided examples of ridiculous IoT products, such as a smart water bottle that glows when it wants you to drink and an IoT showerhead that lets you set the temperature before getting in. The speaker also joked that their children would hack into their account and change the shower temperature if they had one of these devices in their home.

Abstract

There has been much discussion of "software liability," and whether new laws are needed to encourage or require safer software. My presentation will discuss how -- regardless of whether new laws are passed -- a tidal wave of litigation over defective IoT cybersecurity is just over the horizon. The presentation will focus on a well-known example: Charlie Miller and Chris Valasek's 2015 Jeep hack. I'm lead counsel in the ongoing federal litigation over the cybersecurity defects Charlie and Chris exposed, and that are shared by 1.4 million Chrysler vehicles. As far as I know, our case is one of the first, and the biggest, that involves claims that consumers should be compensated for inadequate cybersecurity in IoT products. This case is the tip of the iceberg. IOT products are ubiquitous, and in general their cybersecurity is feeble, at best. In the event of a cyberphysical IoT hack that causes injury, there are established legal doctrines that can be used to impose liability every company involved in the design, manufacturing, and distribution of an exploited IoT device or even its cyber-related components. Such liability could be crippling, if not fatal, for organizations that don't know how to properly handle and prepare for potential lawsuits. Taking steps to minimize legal exposure before an accident happens or a lawsuit is filed—in the design, manufacture, product testing, and marketing phases of an IoT product—can be the difference between life and death for IoT companies. Knowing what steps to take and how to take them requires an understanding of the core legal principles that will be applied in determining whether a company is liable.

Materials:

Tags:

Post a comment

Related work

Conference:  RSA Conference 2023
Authors: Andrea Little Limbago, PhD, Jamil Jaffer, Kathy Wang, Anne Marie Zettlemoyer
2023-04-24


Conference:  Defcon 31
Authors: Corynne McSherry Legal Director, Electronic Frontier Foundation, Daly Barnett Staff Technologist, Electronic Frontier Foundation,, India McKinney Director of Federal Affairs, EFF,, Kate Bertash Founder, Digital Defense Fund,
2023-08-01



Conference:  RSA Conference 2021
Authors:
2021-05-17