In our recent survey of manufacturing and government executives and operations professionals, security topped the list as the number one concern about the Internet of Things.
Sure that concern is warranted, no one wants to get hacked. But we wondered, are there specific legal entanglements that an end user can get into because of a security breach? For advice, we asked Creighton Magid. He is a lawyer with the international law firm Dorsey & Whitney who works with clients to reduce their liability risk and navigate the Federal regulatory system.
What exactly are people worried about when it comes to security and the Internet of Things?
There has been a level of concern over data theft and hackers getting access to personally identifiable information.
The newer arrival on the scene for everyone--cities, manufacturers and utilities--is the potential threat to their basic infrastructure and processes. The interaction of the online world with their physical operating systems raises the risk for organizations that their operations could be brought to a halt and their equipment destroyed or taken offline for a period of time.
Your clients include municipalities, manufacturers, and product developers. Is there a common thread among them in how they approach cybersecurity in their organizations?
By and large, I don’t think that there is a full understanding of the magnitude of the potential threat. But there’s a good reason for that: A lot of the emphasis has been on data breaches, with less of a focus put on securing systems and their interconnections with the physical world than there should be.
Estimates put the number of connected devices added to the ecosystem at 5.5 million every day, and that’s a lot more potential points of entry for a cybersecurity attack. So there may be vulnerabilities that organizations have not thought of, or their systems may have become vulnerable to new threats for which an upgrade or security patch has not been issued.
Well there are plenty! In a well-publicized case, Ukraine’s power grid was shut down to the substation level. The only reason the country was saved from being plunged into darkness was—ironically--because of the aged infrastructure, so they were able to intervene manually.
But, hey, why worry? Doesn’t my cyber insurance cover any damages or loss of revenue due to a security breach?
Some cyber policies include exclusions that basically say that if you do not meet minimum levels of cyber protection, your claims could be denied. I am aware of one case where the insurer argued that the policyholder had not engaged in minimum levels of cyber protection and diligence and should be denied coverage. In an ironic twist, the case was ultimately dismissed because the insurer didn’t follow the dispute resolution procedures in its own policy, not because of the merits of the case.
Why then, if I am an end user, can’t I just sue the guy who sold me the equipment?
The answer here lies at the intersection of product liability law and contract law. For example, an automation supplier is likely to have damages limitations in its contract with the end user. For consequential damages, the supplier would argue that the plant’s remedies were limited to the amount of the contract or something of that nature. But if you are the plant, you might agree that the contractual limitations applied to the automation equipment as delivered, but sue on a theory that there was a lack of post -market vigilance on the part of the automation supplier to make you aware of new and emerging threats and to issue upgrades or patches.
This issue of post-delivery obligations regarding security has not yet been tested in courts. But I can see that happening in a world in which threats emerge daily and in which there is an expectation that security patches and upgrades are going to be delivered.
On the flip side, should organizations worry that they will get sued?
In general, yes. The plaintiff’s bar has shown considerable interest in pursuing internet-of-things cases. The Federal Trade Commission has been very active in pursuing consumer product companies that represent their systems as being secure or that imply that their systems secure when they are not. The U.S. Court of Appeals for the Third Circuit last year upheld the FTC’s authority to regulate in the cyber arena under the agency’s authority to address unfair marketing practices.
In that case, Wyndham Hotels and Resorts initially fought but later agreed to settle FTC charges that its security practices exposed payment card information to hackers in three data breaches. Under the terms of the settlement, the company will establish a comprehensive information security program to protect cardholder data and will conduct annual security audits.