Solar

, , , , ,

The Internet of Things: Liability Examples in the Energy, Healthcare, and Consumer Appliance Industries

, , , , ,

Over the last few years, there has been a tremendous increase in the number of devices connecting to the internet.  Forbes reports that there are more than 5 million developers in the Internet of Things (“IoT”) sphere and that number is expected to double by 2020.  Gartner, Inc., projects that by 2020 more than half of new business processes and systems will utilize some element of the IoT.  Gartner further projects that, by that same time, a black market—worth in excess of $5 billion—will exist to sell fake sensor and video data from IoT devices.  I would like to share a few observations and examples about liability risks associated with the IoT in some of the industries in which my clients regularly work.

I.  Energy Development

One of the most secure sites I have visited in Texas (outside our Air Force bases) is the ERCOT supercomputer in Taylor, Texas.  ERCOT is an independent system operator (ISO) for most of Texas and services 24 million people and billions of dollars of businesses.  Together with its Austin location, the Taylor campus is the “nerve center” for managing the flow of electricity to the overwhelming majority of Texans.  ERCOT has sophisticated systems for monitoring and directing the buying and selling of electricity throughout the state.  Other ISOs, whether in the U.S. or otherwise, perform similar functions.

 This past December the western Ukrainian grid was targeted in a cyberattack that resulted in power loss in multiple cities for several hours.  Imagine Dallas, Houston, Austin, and San Antonio all without power by virtue of one coordinated cyberattack.  In late 2015 Lloyd’s of London published a study called “Business Blackout” that attempts to gauge outcomes (and the resulting economic damages) of such an attack on the eastern seaboard.  Lloyd’s forecast damages between $243 billion to $1 trillion for such a blackout, even where power is restored in most areas (but assuming other areas—even just a tiny minority—are left without power for weeks). 

I represent a number of commercial developers with remote-access metering and operations information.  Try to imagine the damages your commercial project might face if it gets hacked and you go offline.  Aside from any liquidated damages you might owe to the off-taker, consider (1) whether you have the technical prowess within your team to fix the security breach and restore operations and (2) whether your insurance carrier would cover you.  I suspect that many smaller commercial solar operators may be in a pinch to resolve the cyberattack themselves.  While the prospect of an attack on any particular commercial system might be small, it is worth considering in advance how you might respond in the case of such an attack.

II. Medical Devices

The Department of Commerce projects that the medical device industry will be worth roughly $133 billion in 2016.  This past January, the Food and Drug Administration issued a draft guide on post-market management of cybersecurity in medical devices.  The guide encourages developers and manufacturers to establish controls for cybersecurity vulnerability as part of the software validation and risk assessment required under 21 C.F.R. 820.30(g).  As of the date of this blog entry, the draft guidance is not binding upon developers and manufacturers.  That said, compliance with the guidance may be best practice and recommended by counsel in order to mitigate liability.  Imagine a cyberattack that could manipulate the use or function of a medical device.  A more benign attack might merely gather user information and sell that data to a third party; a malicious attack might affect a life function of the user.  Last summer, TrapX reported that at least three major hospitals have suffered data breaches after medical devices had been infected with malware.  These scenarios are not purely hypothetical.  If you are planning or releasing or selling a medical device, start planning your cybersecurity measures and updates now or you may be liable for any resulting damages of an attack.

III. Liability with Consumer Appliances

In January 2016 The Telegraph reported that the Nest thermostat had a software glitch that forced the shutting down of the device.  The shutdown led some users unable to control the temperature in their homes.  Users complained of cold homes and possible burst water pipes.  While the glitch may seem trivial in contrast to the energy or medical device hacks, Nest may be faced with personal injury and/or property damage lawsuits.

IV. Concluding Thoughts

The size and types of damages that result from a cyberattack may vary considerably based on the type of IoT device your company markets.  However, with almost all such devices comes the risk of a cybersecurity breach that may result in liability to you.  At a minimum many cases will involve confidential or private information of the user.  At a maximum there may be significant property damage or loss of life.  As you look to bring your IoT device to market, it is imperative that you identify and manage each of these security risks and develop protocols for monitoring for and correcting any possible breaches.