‘Smart home’ revolution tests legal liability regimes
We’ll send you a myFT Daily Digest email rounding up the latest Cyber Security news every morning.
Smart products are now commonplace in developed countries, ranging from thermostats that adjust to home occupancy levels to wearable devices that detect health risks.
Yet when technology goes wrong — such as smart doorbells catching fire — the legal ramifications can be hazy. Many consumer products are not merely internet-connected but also have the ability to adapt, thanks to algorithms and machine learning.
“Autonomy and self-learning mean smart products are designed to evolve,” says Rod Freeman, a product liability lawyer at law firm Cooley. The definition of a product is becoming fuzzier as layers of software are woven into devices, and it may be unclear who is at fault for an accident or failure, he says.
“Claimants will try [to claim in the result of a defect], and software providers could push back and say it was a failure to maintain the software, or that updates were not downloaded by the consumer,” says Katie Chandler, product liability expert and partner at Taylor Wessing, a law firm. “There could be all sorts of arguments for liability in an Internet of Things (IoT) product failure.”
It took years for regulators to tackle the problem of online fraud in the financial services industry and legal professionals do not want to see this inertia mirrored in product safety. “What led to strong customer authentication in banking was a huge amount of online fraud. We suffered for years and lost billions of pounds before this was brought in,” says Toni Vitale, head of data protection at Manchester-based JMW Solicitors.
The EU’s product liability directive lays out the responsibilities on European manufacturers in the event of defects, but it was issued more than a decade before consumers could even download ringtones on their mobile phones. As such, product liability lawyers say that regulations should similarly evolve to accommodate these risks.
Lawyers say that cyber security is becoming inseparable from consumer safety, rather than being a privacy issue, in areas such as autonomous vehicles or implantable medical devices — both of which have faced hacking concerns. “There is a crossover between IoT data breaches and product liability,” says Ms Chandler. “That’s where product liability practitioners see litigation coming, in terms of whether or not a data breach is a defect under the existing product liability regime.”
Another area of risk is smart home gadgets, says Mr Vitale. “If you can access someone’s thermostat device from outside the home, you can work out which occupants are home and which aren’t,” he says. “A hacker could also access digital doorbells [which allow remote viewing of a guest, such as a delivery worker], which record your coming and going.”
Mr Freeman says: “Cyber security and product safety regimes need to converge to a single set of rules for a product, but at the moment these rules and policies are developed in different forums. There is a lot of talk and activity but no central co-ordination.”
None of these emerging risks are insuperable — encryption can provide better protection, as can stronger customer authentication. But without regulatory requirements driven by government, the smart products industry may balk at such measures due to their financial cost.
“These devices are designed to be cheap so they don’t have a lot of inbuilt functionality, such as having enough memory to store your credentials and data in a way that’s secure,” says Mr Vitale. “They are designed to require no maintenance, no patches and no software updates, unlike logging on to online banking.”
He calls for minimum standards on data collection and device security. “We all want plug-and-play devices that are easy to adopt and internet-connected. There is no reason, apart from cost, that they can’t have high levels of encryption.”
So far, the policy discussion about whether legal liability rules can handle smart product defects is driven by “theory rather than experience”, says Mr Freeman, and there is no evidence of disputes reaching the courts. This means there is no case law on which companies and their legal teams can look to for guidance, according to Ms Chandler.
The European Commission is reviewing product safety in the context of advanced technologies, with the 2020 artificial intelligence white paper finding the existing regime sufficient. Ms Chandler describes this as “surprising, because it’s not clear to us how it all applies in practice”.
Adaptation may not equate to a new legal framework, however. Mr Freeman calls for a careful approach that does not rule out whether existing systems can cope with the changes. “We’ve seen medical device regulation adapt with provisions for dealing with software,” Mr Freeman says. “We didn’t have to entirely rewrite the regulation. A new liability regime to plug a perceived gap could create more uncertainty that it resolves by creating two liability systems.”