First, although we assume most readers will now be familiar with IoT, it is worth setting out at the start a brief definition of the Internet of Things. The Global Standards Initiative on the Internet of Things defined the IoT as "a global infrastructure for the information society, enabling advanced services by interconnecting (physical and virtual) things based on existing and evolving interoperable information and communication technologies" and for these purposes a "thing" is "an object of the physical world or the information world which is capable of being identified and integrated into communication networks."
IoT devices can take a number of forms, from sensors on wind turbines or HVAC systems that automatically send data back to a central control centre that monitors for signs of damage or wear and tear, to remote temperature sensors, to smart meters and light bulbs in the home.
It is estimated that there will be 30 billion IoT devices in use by 2020, each generating data. They will be integrated into other, larger, products; often, several IoT devices will be integrated into one product. Sometimes they will "talk" to each other, as well as to external devices and servers.
The first issue to consider is security of IoT devices. It has been widely reported that significant numbers of IoT devices have fundamental security issues. While there has been some effort to draw up standards, and privacy by design may assist in future for IoT devices which involve personal data, it seems likely that the security of IoT devices is unlikely to improve in the near future.
The mass proliferation of IoT devices means that there will be very large numbers of 'dumb' devices which are vulnerable to attack. There have already been instances of, for example, connected heating systems being held to ransom by attackers. Where they are connected to other networks, they may provide an access point to other important systems (for example, it is widely reported that the hackers in the Target data breach got access to wi-fi connected HVAC systems in Target stores, and moved on from there).
If an IoT device which is fundamentally insecure is incorporated into a product, and is used as an entry point to either take control of or damage the product (or indeed other systems or devices connected to it), one can see the building blocks for potential claims. However, each case is likely to be different and the terms on which the IoT device is supplied will likely seek to limit liability. Equally, there are likely to be interesting issues around remoteness and causation. Finally, there may be differences in practice between IoT devices which may be insecure "out of the box" but for which the manufacturer has an expectation that, as part of incorporating the device into an overall product, it is configured in a more safe way, and IoT devices which are fundamentally insecure in some way (such as not being able to support modern encryption, or having easy to guess hard-coded passwords that cannot be changed).
Data itself is not 'owned'; rather, it is the aggregation or collection of such data, provided that there has been a relevant investment in carrying out the aggregation or collection, that is 'ownable'. Separating the potential ownership interests of the different players in the data chain is important, and not always easy.
If the relevant criteria are satisfied (broadly, the existence of a 'database', substantial investment in obtaining, verifying or presenting the data, and the maker of the database having a substantial economic and business connection with the EEA), the 'maker' of a database will be the first owner of the database right. Identifying who that is will not always be easy in modern data chains, where a number of players come into contact with data in some way, each with their own interest in exploiting data.
It is not difficult to envisage a future where certain participants may have sufficient market share that it is arguable that they occupy a monopoly position. There is, among some European regulators, a clear interest in applying concepts of competition law to big data, although there are issues with this approach that have not yet been explored.
As a final point for those involved in disputes, IoT devices present a fascinating, but as yet largely unexplored, issue. The data which IoT devices generate may, in some disputes, turn out to be valuable evidence. For example, data from a GPS-enabled fitness tracker, could be key in establishing whether or not an individual had been personally served with a claim form. It is early days for this in civil cases (criminal cases are slightly more advanced, for example Amazon agreeing to hand over Alexa recordings from an Echo which was in the room where a shooting took place). Parsing that data, analysing it, and making sense of it will not necessarily be easy. Understanding how accurate that data is will also be important – can it be falsified, or edited? Despite these issues, in appropriate cases, it is clear that IoT devices could play an increasing evidentiary role in disputes.
If you have any questions on this article please contact us.
Limitation of liability clauses are often the subject of extensive negotiations between business to business parties of an IT contract. It is difficult to escape the conflict between the competing priorities of customer and supplier - the customer aims to secure the maximum protection available against future losses but the supplier wants a level of liability to match the perceived value of the project to it. How wide can the supplier go to limit its liability and what does a customer need to do to ensure fairness while maintaining some certainty as to the losses potentially recoverable?
1 of 4 Insights
For the majority of IT projects, the contract and, just as important in terms of flushing out crucial information, the negotiating process leading up to signature, can play a big role in influencing the direction of the project, as well as helping to resolve disputes efficiently in the event the project veers off course.
3 of 4 Insights
In 2016, ransomware incidents were reported to have increased by over 300% – with the number of attacks still on the rise. Ransomware is a form of malware that blocks a user's access to its system or files through encryption until a ransom is paid, although payment doesn't always guarantee returned access.
4 of 4 Insights