Minimising risk in IoT contracts

What are IoT devices?

First, although we assume most readers will now be familiar with IoT, it is worth setting out at the start a brief definition of the Internet of Things. The Global Standards Initiative on the Internet of Things defined the IoT as "a global infrastructure for the information society, enabling advanced services by interconnecting (physical and virtual) things based on existing and evolving interoperable information and communication technologies" and for these purposes a "thing" is "an object of the physical world or the information world which is capable of being identified and integrated into communication networks."

IoT devices can take a number of forms, from sensors on wind turbines or HVAC systems that automatically send data back to a central control centre that monitors for signs of damage or wear and tear, to remote temperature sensors, to smart meters and light bulbs in the home.

It is estimated that there will be 30 billion IoT devices in use by 2020, each generating data. They will be integrated into other, larger, products; often, several IoT devices will be integrated into one product. Sometimes they will "talk" to each other, as well as to external devices and servers.

Cybersecurity and product liability

The first issue to consider is security of IoT devices. It has been widely reported that significant numbers of IoT devices have fundamental security issues. While there has been some effort to draw up standards, and privacy by design may assist in future for IoT devices which involve personal data, it seems likely that the security of IoT devices is unlikely to improve in the near future.

The mass proliferation of IoT devices means that there will be very large numbers of 'dumb' devices which are vulnerable to attack. There have already been instances of, for example, connected heating systems being held to ransom by attackers. Where they are connected to other networks, they may provide an access point to other important systems (for example, it is widely reported that the hackers in the Target data breach got access to wi-fi connected HVAC systems in Target stores, and moved on from there).

If an IoT device which is fundamentally insecure is incorporated into a product, and is used as an entry point to either take control of or damage the product (or indeed other systems or devices connected to it), one can see the building blocks for potential claims. However, each case is likely to be different and the terms on which the IoT device is supplied will likely seek to limit liability. Equally, there are likely to be interesting issues around remoteness and causation. Finally, there may be differences in practice between IoT devices which may be insecure "out of the box" but for which the manufacturer has an expectation that, as part of incorporating the device into an overall product, it is configured in a more safe way, and IoT devices which are fundamentally insecure in some way (such as not being able to support modern encryption, or having easy to guess hard-coded passwords that cannot be changed).

Privacy

Linked to cybersecurity are questions around privacy. A number of IoT devices will transmit personal data. The implementation of satisfactory privacy regimes around IoT devices is still in its relative infancy, and has not been tested (in the English courts, at least) extensively. However, there have been a number of cases brought in the U.S. involving connected home devices where data was being used either in ways which the consumer alleged were in breach of the privacy policy, or which were not clear to the consumer. With more data breaches likely to become public after the GDPR comes into effect, and the likely increase in class action-type claims in the UK, risk around privacy and IoT will only increase, but at the moment there is little sign of significant steps to improve security.

Data ownership (or not)

Data itself is not 'owned'; rather, it is the aggregation or collection of such data, provided that there has been a relevant investment in carrying out the aggregation or collection, that is 'ownable'. Separating the potential ownership interests of the different players in the data chain is important, and not always easy.

If the relevant criteria are satisfied (broadly, the existence of a 'database', substantial investment in obtaining, verifying or presenting the data, and the maker of the database having a substantial economic and business connection with the EEA), the 'maker' of a database will be the first owner of the database right. Identifying who that is will not always be easy in modern data chains, where a number of players come into contact with data in some way, each with their own interest in exploiting data.

Competition / antitrust

It is not difficult to envisage a future where certain participants may have sufficient market share that it is arguable that they occupy a monopoly position. There is, among some European regulators, a clear interest in applying concepts of competition law to big data, although there are issues with this approach that have not yet been explored.

Evidence?

As a final point for those involved in disputes, IoT devices present a fascinating, but as yet largely unexplored, issue. The data which IoT devices generate may, in some disputes, turn out to be valuable evidence. For example, data from a GPS-enabled fitness tracker, could be key in establishing whether or not an individual had been personally served with a claim form. It is early days for this in civil cases (criminal cases are slightly more advanced, for example Amazon agreeing to hand over Alexa recordings from an Echo which was in the room where a shooting took place). Parsing that data, analysing it, and making sense of it will not necessarily be easy. Understanding how accurate that data is will also be important – can it be falsified, or edited? Despite these issues, in appropriate cases, it is clear that IoT devices could play an increasing evidentiary role in disputes.

If you have any questions on this article please contact us.