Think of a world where physical objects are seamlessly integrated into an information network; cars, homes, books, watches, spectacles, kitchens and so on. And where the physical objects can become active participants in business processes that is, they become ‘smart’, coupled with services being available to interact with these ‘smart objects’ over the Internet, analyze their state and any information associated with them, taking into account security and privacy issues. That is the Internet of Things (IoT) and it is here.
Mckinsey estimates that IoT impact on the global economy might be as high as $ 6.2 trillion by 2025 and there lies the issue. Given the current surge in cyber-attacks, businesses and consumers will be keen to understand liability and risk allocation in IoT.
The curse in the blessing
We are now able to control the various connected devices on the network using an app on our phones and tablets. However, like anything digital, these networks run the risk of being hacked. The question is who is liable when something goes wrong?
As the IoT can connect devices from different manufacturers, it is possible for a user to own a smart TV from maker X, a smart coffee machine from maker B, and a smart air vent from maker A, which are all controlled by a smartphone from maker Z that runs on software created by a third-party. Looking at the complexity of these connected devices makes it much harder to establish who is liable, under current laws and regulations, when something goes wrong.
Even on a simple level, if a smart cooker leaks when a smart toaster is turned on, causing it to explode and burn down a house, the owner has a plethora of companies who are liable for the loss. These range from the retailer, to the manufacturers, through to the developers of the phone app or cooker-toaster software. Will one party be solely accountable? Or will the parties involved in creating and processing the integrated data components of the cooker and toaster be liable to some extent?
This interoperable risk is heightened as many of these devices are likely to be mass produced and therefore, not secure enough to protect personal data.
The situation with product liability may not be that complex today. When a stand-alone consumer device is malfunctions within a specified period of time, the user is entitled to certain remedies that are implied into every sale.
Product liability law in Kenya is governed by the Consumer Protection Act (the CPA) which introduced statutory liability for defective products. Liability under the CPA exists alongside liability in negligence, and in some cases a common law claim may succeed where a claim would not be available under the CPA. The CPA applies to both products used by consumers and products used in a place of work. The CPA imposes strict liability on manufacturers of defective products for harm caused by those products. This means that people who are injured by defective products can sue for compensation without having to prove that the manufacturer was negligent. It is merely necessary to prove that the product was defective, and that any injury or damage was most likely caused by the product.
Product liability will continue to play a role in the IoT. For example, if a smartwatch develops a mechanical fault shortly after purchase the user is able to return it to the seller.
Degree of liability
Worryingly to manufacturers of IoT devices, network providers and software developers, a user may bring a claim against one or all of them following a device malfunction or security breach. It is not clear if the aggrieved user will be required to prove that they have suffered damage as a result of an IoT player’s actions or if the courts will adopt a ‘strict liability’ approach.
Alternatively, courts can consider apportioning liability between everyone in the IoT product and network circle, regardless of their culpability. But even this poses problems. For example in a security hack of a network router, a court would have to decide if liability lies with the router manufacturer, the internet service provider or the actual hacker. The latter option may prove problematic as many hackers are anonymous.
Criminal or civil remedies
Currently, the law is not clear whether an aggrieved user is entitled to a criminal remedy, a civil remedy, or both. All likelihood points to the severity of the liability. For example, a mere malfunction of a smart fitness monitor leaving the user unable to measure their heart rate at the gym, is not likely to give rise to a civil or criminal conviction.
Futuristically on the other hand, a smart city malfunction could create both criminal and civil liability. For example, if smart traffic lights installed by a county council malfunction, and an automated car driving under them is incompatible with the traffic lights, meaning that the car fails to stop and drives into an oncoming vehicle, the result could be serious injury to road users. A situation like this could raise claims of criminal liability. However, it appears unfair to hold the car owner/driver responsible for causing injury when the culprit was in part the malfunctioning traffic lights and in part the malfunctioning car. In this type of situation, looking outside the traditional liability frontiers may be required.
IoT is still a work in progress
Regardless of how they are used, there is always the potential for a device to malfunction or for a network to be hacked. The IoT will create new risks and this in turn will require a focus on liability.
Indeed IoT is still in its early stages. The legal fraternity needs to consider either new forms of liability, or new ways to manage and apply existing laws to different entities in the IoT supply chain. With the security and privacy risks a growing public interest issue, the IoT is still a work in progress.