Product liability for an IoT data breach

With the number of connected devices set to rise as 5G takes off, manufacturers and distributors need to be alive to the fact that product liability laws have not kept pace with this technological development.

The product liability risks associated with a 'dumb' device are well known, but by connecting it to the world a whole new host of potential risks and liabilities arise.

Traditional product liability law in the UK and Europe imposes strict liability on a manufacturer if a device is defective, but those laws were drafted at a time when the lawmakers were only aware of the traditional risks associated with consumer items: personal injury and property damage. 

What happens where a defective device doesn’t cause physical damage, but is compromised such that its connection is hijacked or the personal data it holds is stolen? What liability might the manufacturer face now – and in future as legislation catches up? 

We consider potential claims under existing product liability laws – as opposed to data protection legislation for loss of personal data – and at how product liability law might develop in the coming years.

Current law

The Consumer Protection Act 1987 (the CPA, which implemented the EU Product Liability Directive 1985) is now more than 30 years old. It was drafted in an era when personal computers were just taking off and the internet was five years from its public debut. As such the CPA does not deal with the concept of non-physical damage caused by faulty software, hardware or the loss of data.

Assuming that a product has a defect, and that defect causes a consumer loss, the CPA imposes strict liability on the producer. That loss, though, is limited to personal injury and/or property damage.

Throwing smart functionality into the mix

A connected device can still malfunction in the traditional sense to cause damage or injury, but there is a new risk to consumers – malicious access to built-in sensors or the loss of personal data which these devices often collect for the operation of their 'smart' functionality.

The non-pecuniary loss a consumer might suffer as a result of a malicious actor hacking into a connected device is not something which the English courts, to date, have had to grapple with in a traditional product liability sense.

It is foreseeable that in the event that a connected device is compromised, a consumer who suffers psychological injury (which includes distress) might try to pursue a claim under the CPA to avail themselves of the strict liability regime. Such a claim might be against not only the manufacturer but also the software developer, if different.

"Defect" in the context of a connected device

The present issue is: if a connected device is compromised remotely using its internet connection, is it necessarily defective? A product is only deemed to be defective under the CPA if its safety (including the risk of personal injury) is "not such that persons generally are entitled to expect". 

It likely follows that if a connected device is compromised in such a way that remote access can be gained, there might be the presumption that it is defective. But that is an oversimplification in the context of connected devices which are at the intersection of software and hardware, in particular when data is often held in the cloud.

To date, the English courts have largely treated hardware as a product, but software as a service. Connected devices bring these two together in ways which existing legislation was not designed to cater for. The concept of a contract for "digital content" as well as potential claims arising as a result of damage caused to a device or digital content by such digital content exists under the Consumer Rights Act 2015. However, that legislation is unlikely to apply to a data breach situation where no damage is caused to a device or data irretrievably lost (although remedies may be available under data protection law). To add further complication, the CPA does not afford the consumer a standalone right to claim compensation for damage to the item itself.

Although the subject of ongoing debate, there is no consensus as to how current product liability legislation would be applied to manufacturers of connected devices in the context of a software only defect. It is not difficult to see how with the right circumstances a consumer might persuade the court that a connected device does fall under the existing strict liability regime – even if a fault is only in the software element of the product. It will be interesting to see whether the manufacturer of the device, or the company behind the underlying software is ultimately held accountable.

The issue of alleged defects in software also fails to take account of the fact that connected devices often include the potential for over-the-air updates to deliver continuous improvements – including in relation to security. 

What then when it is the consumer who has failed in some way to keep their device secure? Whether it is a failure to change the default password, not giving permission to install updates, or failing to secure their wi-fi connection? If the instructions for use and availability of updates are such that had the consumer taken the relevant steps, any defect would have been remedied, is the device defective?

We foresee significant scope for manufacturers to either avoid completely or significantly reduce any potential liability for a connected device if the consumer has failed in some way to keep their device secure and the EU's Digital Content Directive is already dealing with these issues in terms of consumer protection. However, to avail itself of these potential defence options, a manufacturer should take certain steps in the design, manufacture and distribution of connected devices.

Some essential steps for the connected device manufacturer

Essential steps which connected device manufacturers should bear in mind when designing a new connected device, or adding smart capabilities to their existing devices include:

• Ensure cybersecurity is a central part of the technical design of the device from the beginning – both from a hardware and software perspective.
• Ensure risk assessments consider the potential for malicious access and consider whether the hardware and software specifications allow future updates to be installed – and whether they can be deployed remotely – for the whole life of the product (in particular noting the existing 10 year time period envisaged under the CPA).
• Fully align data protection with cybersecurity and product liability to understand and mitigate the risks of a data breach.
• Limit to the extent possible the use of default passwords and try to implement unique randomly generated passwords for each device. 
• Where a default password is unavoidable, consider including the mandatory requirement that it is changed as part of the set-up process, or where that is not possible attach labels and stickers to alert the consumer to the change process.
• Include clear warnings of the risks if the user does not maintain their device by installing any relevant updates. 
• Consider the extent to which your terms and conditions (including privacy policy) can lawfully be adapted to allow mandatory security updates to be installed remotely without user interaction.
• Ensure that developers responsible for software or apps appreciate the need to limit what data is collected about users and where appropriate implement anonymisation to limit what data might be lost in the event of a breach.
• Ensure contracts with suppliers include specific cybersecurity obligations to monitor and provide security updates for the product’s intended lifecycle (including time limits for responding). 
• Consider the extent to which liability for any issues can be passed on to third parties and whether there is insurance available to cover liability which cannot be passed on.

Current consumer safety laws were developed at a time when cybersecurity was not a concept. That is changing and cybersecurity in relation to connected devices should already be central to product safety concerns.

For more on cybersecurity and data breaches, visit our Global Data Hub.

The future

The Office for Product Safety & Standard is currently exploring changes to existing product safety legislation to ensure that it is fit for the 21st century. The current consultation, which closes on 3 June 2021, specifically covers connected devices and is collecting evidence to consider appropriate updates throughout a product's lifecycle, including enforcement and liability issues.

A key focus of the consultation in relation to connected devices is products aimed at children. Our expectation is that there will be a convergence of approach between data protection and product liability as there is a blurring of boundaries and increasing overlap between the two areas.

The consultation is the beginning of the legislative review process so it is too early to predict the outcome, but it is clear that in the coming years there will be a legislative reset to deal with the rise of connected devices, potentially to include specific legislation around liability if a connected device is compromised. Whether that includes a financial remedy for consumers even where there is no loss or damage remains to be seen.

Find out more

To discuss the issues raised in this article in more detail, please reach out to a member of our Technology, Media & Communications or Disputes & Investigations teams.