November 20, 2023
The early 2000s saw the arrival of IoT technology (otherwise known as the Internet of Things) and it has since hit the major leagues, giving rise to smart fridges, wearable devices, and connected vehicles. In fact, by the year 2008, the number of connected devices in existence had exceeded the number of people living on the planet.
While IoT has cemented itself as a ubiquitous (although seldom thought of) area of technology, it has also earned a complex legal legacy that has seen the creation of the Code of Practice for Consumer IoT Security in 2018, and the Product Security and Telecommunications Infrastructure Act 2022 (the Regulations under this Act are currently making their way through parliament). Key issues include data protection, cyber security, intellectual property rights, and product liability, this makes IoT technology a particularly complex legal realm to wander into.
For those that create IoT devices and surrounding infrastructure, there is a lot to consider. What constitutes a “safe” product? Who takes legal responsibility for failures? How can businesses maximise the benefits of IoT technology, without wandering into murky waters?
In this article, we tackle the world of IoT, from common use cases on the market to the due diligence needed to create safe IoT products. So, without further ado, let’s start at the beginning…
IoT, short for Internet of Things, refers to devices with a collection of technologies - including sensors, and software - designed to connect a device to allow it to record, receive, and exchange data over the internet.
IoT devices have many names: connected devices, smart devices, wireless devices, embedded systems, or, quite simply, “connected machines”. These connected machines can be found in your home, in the form of smart fridges, responsive TVs, and connected speakers. However, IoT devices are also crucial in industrial space, from stock control in retail warehouses to remote devices used in construction and manufacturing. In other words, IoT today, in many respects, is the technological cog that keeps much of our world turning.
As technology that effectively brings hardware to life, IoT has many benefits, it turns a product into an encompassing service that connects with its user in a new way. For example, when you trade your watch for a wearable device, you not only have access to the time - but to a wealth of digital information on your sleep, your heart health, your activity metrics, and more. Similarly, based on data bespoke to you - your watch can alert you on shifts in your health, while recommending products bespoke to your needs as an individual.
Products become personal thereby providing value far beyond the realms of their original function.
Despite the benefits, IoT devices come with complex challenges. Unlike traditional products, IoT devices rely on a variety of parties to exist - often different parties develop software, hardware, sensors, third-party applications, mobile operations, and IoT systems. As a result, IoT devices are an interesting collection of legal liability concerns, amplified by vulnerabilities that have resulted in damning security breaches.
Perhaps the most chilling of these, was a headline in 2017 that simply stated, “Hearts can be Hacked”. Findings from an FDA investigation revealed that St.Jude’s line of implantable cardiac devices was vulnerable to hacking, with the ability of a would-be hacker to “administer incorrect pacing or shocks.” These IoT risks have continued well into the 2020s, with hackers continuing to remotely access devices to collect personal data, including spying on the personal lives of users. So much so, that in 2022, we witnessed an 87% year-over-year increase in IoT malware attacks.
To combat the security issues of IoT devices, the UK Government introduced the Code of Practice for Consumer IoT Security in 2018, which provides manufacturers with guidance on technical standards for IoT security. This has been followed by the introduction of the Product Security and Telecommunications Infrastructure Act 2022, which aims to tighten controls on IoT devices (and therefore increase their safety). This includes placing new cyber security requirements on manufacturers and the sellers of smart devices while banning default passwords, and legislating for greater transparency surrounding the collection and use of data. The Act has significantly more weight than its predecessors, failure to meet measures could result in fines of up to £10 million or 4% of global turnover, plus up to £20,000 a day in the case of an ongoing breach. The Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023, under the Act are currently before parliament and, if approved, will enter into effect on 29 April 2024.
So, what are the legal risks of IoT devices? As lawyers, we hate (or love?) to say it, but, “it depends”. However, for the purposes of this article, we’re going to explore some of the most common legal risks that come with IoT devices - and how to protect yourself against them.
Unsurprisingly, data protection is at the top of this list. Just this year, Amazon was fined $30 million by the Federal Trade Commission (FTC) as a result of their smart devices (Alexa and Ring) violating customer privacy. It was revealed that one male employee of Ring used the device to spy on over 80 female customers. In this instance, Amazon failed to protect the integrity of their users’ data, while similarly failing to educate staff on their obligation to uphold the privacy rights of Ring customers.
For IoT businesses, the integrity of your users’ data should be top of mind, backed by a data strategy that is fully compliant with UK GDPR. If you expect your devices to operate in Europe, you’ll also need to abide by the EU GDPR.
As devices continually record and process the data of users, you’ll need to meticulously address the data protection obligations of your business, including how you store, process, and use the data of your users. For example, some wearable devices may inadvertently record special categories of personal data , which will pull your business into a whole new territory of legal obligations.
When building IoT devices, embrace privacy by design. This includes prioritising the core principles of GDPR:
Another key issue here is the difficulty in defining who takes legal responsibility for failures, in a product that encompasses hardware, systems infrastructure, third-party applications, and software licensing. With so many moving parts, it’s crucial that you understand where your data protection obligations begin and end - which is where a data protection lawyer becomes an essential part of the process.
Next, let’s explore the intellectual property issues of connected devices. As we’ve already seen, these devices are made up of a number of technologies, all of which come with their own legal protections. As an IoT creator, you’ll need to carefully consider the licenses needed to bring your product to life - in addition to the permitted uses of the technologies you’ve chosen. As a broad and complex space, the intellectual property issues of IoT devices go far beyond this article, but at a top level you should consider:
Finally, let’s tackle the product liability issues of IoT devices. Due to their interconnected nature, the IoT device supply chain a is long and winding road - with countless parties needed to bring the product to life. However, that makes defining liability a challenge - particularly when it comes to things like product failures, safety concerns, and data breaches.
In the case of St. Jude’s implantable cardiac devices, product defects resulted in patient deaths, and the recall of 398, 740 of the devices. However, after this recall, the FDA discovered that seven more defective devices were implanted in patients.
This series of events throws up an alarming number of liability issues - who is responsible for the defective devices? Which part of the supply chain failed? Did St. Jude’s do sufficient due diligence? Who can patients hold accountable?
Due to the interconnected nature of IoT technologies, the answer to these questions is more complex than usual. As a technology that spans countless legal disciplines and jurisdictions, the importance of legal counsel when grappling with IoT can’t be understated.
As the number IoT security breaches increase, and as legal controls tighten, it’s never been more important to holistically address the legal hurdles of IoT. As a team of experienced technology lawyers, we’ve backed countless IoT clients through the evolutions of the technology - and have helped them ensure safe and secure products.
Are you operating in the fast-moving world of IoT? Are you keen to make sure your product stays on the right side of the tracks? Our Flamingo Subscription provides end-to-end legal support, across technology matters, data protection issues, and intellectual property management. Discover how we can back you with solid legal foundations for the IoT industry.