Legal Liability for IOT Cybersecurity Vulnerabilities

The legal system and lawsuits will play a significant role in regulating IoT cybersecurity due to the lack of effective statutes and regulations. Product liability lawsuits will focus on identifying the actors responsible for ensuring product safety and imposing liability for unsafe products.

• The legal system and lawsuits will be important in regulating IoT cybersecurity
• Statutes and regulations are not effective due to the complexity and rapid evolution of IoT technology
• Product liability lawsuits will focus on identifying responsible actors and imposing liability for unsafe products

The speaker provided examples of ridiculous IoT products, such as a smart water bottle that glows when it wants you to drink and an IoT showerhead that lets you set the temperature before getting in. The speaker also joked that their children would hack into their account and change the shower temperature if they had one of these devices in their home.

There has been much discussion of "software liability," and whether new laws are needed to encourage or require safer software. My presentation will discuss how -- regardless of whether new laws are passed -- a tidal wave of litigation over defective IoT cybersecurity is just over the horizon. The presentation will focus on a well-known example: Charlie Miller and Chris Valasek's 2015 Jeep hack. I'm lead counsel in the ongoing federal litigation over the cybersecurity defects Charlie and Chris exposed, and that are shared by 1.4 million Chrysler vehicles. As far as I know, our case is one of the first, and the biggest, that involves claims that consumers should be compensated for inadequate cybersecurity in IoT products. This case is the tip of the iceberg. IOT products are ubiquitous, and in general their cybersecurity is feeble, at best. In the event of a cyberphysical IoT hack that causes injury, there are established legal doctrines that can be used to impose liability every company involved in the design, manufacturing, and distribution of an exploited IoT device or even its cyber-related components. Such liability could be crippling, if not fatal, for organizations that don't know how to properly handle and prepare for potential lawsuits. Taking steps to minimize legal exposure before an accident happens or a lawsuit is filed—in the design, manufacture, product testing, and marketing phases of an IoT product—can be the difference between life and death for IoT companies. Knowing what steps to take and how to take them requires an understanding of the core legal principles that will be applied in determining whether a company is liable.