IoT liability risks
Product liability in interconnected systems
Andrew Austin, DR Partner
In our conversations with TMT clients, we’ve been discussing the opportunities and risks of the internet of things (IOT). We have focussed on how producers and designers can protect themselves from the liability risks associated with interconnected products.
Historically, product liability laws on both sides of the Atlantic have channelled liability towards the manufacturer or producer of a defective product. If you get sick as a result of eating a dodgy ready meal, you, as a UK resident, will have a direct claim against its manufacturer under the EU’s Product Liability Directive. Or you could sue the retailer that sold the meal, and the retailer could in turn sue the next party up in the supply chain, meaning liability might again find its way to the manufacturer.
That makes sense in a world where manufacturers exercise control over the design and manufacture of their products; where they are better placed than others to judge (and warn about) their risks and benefits and specify the terms on which they should be used; and where they can insure against the risks of their products going wrong. The law in turn has allowed them to limit the scope of liability by exercising that control (the claim against the manufacturer of the ready meal might well fail if, for example, it hadn’t been cooked according to the manufacturer’s instructions).
But existing liability regimes struggle with interconnected products. As the European Commission pointed out in a recent working document, such products involve sophisticated interdependencies between hardware, software (whether embedded or not), networks and data. Where something goes wrong, this makes it hard to determine who is – and, as a matter of legal principle, should be – liable.
Imagine that you are driving, swerve your car into a neighbouring lane and cause an accident. Under existing rules, liability would probably rest either with you (as the registered owner of the vehicle, and a bad driver) or the vehicle manufacturer (if it was, for example, a fault in the steering systems that caused you to swerve). But imagine that your car was an interconnected, automated vehicle. Responsibility for the accident could properly lie with you (if you were operating the vehicle under manual control); the vehicle manufacturer; the designer of the system, mapping and/or sensor software; the provider of data to the mapping app; the network provider (if network failure led to a sudden loss of navigation data); or perhaps even a third party cyber attacker. Or perhaps a number of those parties. Who does the victim of the accident sue? How does he or she establish causation? Which of the potential defendants should be insuring against the risk?
Things will get even more complicated when we add AI and machine learning to the mix.
The EU’s current product liability regime dates from 1985, a year after CD-ROMs were introduced for PCs. It is not fit for purpose for the interconnected world; it is not even clear that downloadable software constitutes a “product” for the purposes of the Directive (and the same is true of US products law). To its credit, the Commission has recognised this and is consulting on changes that need to be made. Change will take time, however, and any rebalancing of responsibilities between industry and consumers will be controversial.
In the meantime, claimants and their lawyers may try to fill the vacuum by asking courts to impose new duties of care on providers of IOT products and services: to protect against cyber-attack, to ensure adequate redundancies to deal with loss of connectivity, perhaps even to monitor performance in real time and act on any problems that this reveals (in the same way that pharma and medical device companies do today).
What can IOT businesses do to protect themselves from liability in these circumstances? In the future, as today, who pays will be decided in large part by what is written in the contracts and what information is provided to end users and other affected parties, so many of our proposed solutions look quite traditional.
- Be clear in your contracts and product information about the intended uses of your product or service and about what it isn’t designed to do (including as regards interoperability).
- Provide clear instructions and warnings about risks that you can anticipate.
- Seek to limit or exclude liability for non-authorised uses, or more generally (but bear in mind that liability for death/personal injury cannot typically be excluded against consumers, and that in other cases such attempts may be subject to review for reasonableness). Pay particular attention to the risk of regulatory creep – if third party software installed on your smart watch starts monitoring the user’s health, for example, you may be subject to data privacy and medical devices regulations and all the additional obligations that implies.
- Be clear about the allocation of risk as between hardware providers, software vendors and network providers, in particular as regards monitoring for cyber threats and keeping virus protections updated.
- Seek rights to access data to determine root cause where there is a failure.
- Monitor and act on reports of poor performance.
- Explore insurance options. While there are problems with many current cyber insurance and product liability policies, the choice available is growing and in time data analytics should reduce premiums.