The influence of the Internet of Things (IoT) will undoubtedly be transformational with a total potential economic impact estimated to be $3.9 trillion to $11.1 trillion a year by 2025. In the race into the IoT marketplace, there are both known and unknown legal hurdles that will affect those who offer of goods and services during the proliferation of the Internet of Things.
Some of the current and potential legal hurdles related to the IoT are well known, some are not, and some are the result of the intersection between the physical and virtual worlds, and the collision between two intersecting major drivers of innovation in IoT. On one hand, there are the established manufacturers of products and consumer goods whose expertise in developing, testing and manufacturing products puts them in an advantageous position. On the other hand, there are the technology companies who are used to developing software and whose expertise lies in software development, data collection, and data processing.
Hurdles for Product and Service Providers
Current product manufacturers are well aware of patent clearance and product liability concerns. Software as a Service (SaaS) companies routinely deal with open-source software, data security and data privacy issues. These two players represent the merger of the physical and digital worlds that is required for the IoT to fully function and flourish. This merger also requires new approaches to existing issues as uniquely applied to the Internet of Things.
The first hurdle IoT product and services providers will have clear is performing due diligence prior to making, offering for sale, or selling IoT products to ensure such actions do not expose the IoT product and services provider to claims of intellectual property infringement. Not only will IoT product and service providers have to clear patents related to the structure and function of the device itself, but additional elements necessary to participate in the IoT require addition clearance concerns which are outside of the purpose of the device itself, such as communications devices and sensors.
Moreover, if software or firmware is incorporated into the device or the services, a review of any open-source software components incorporated into the product or software should be performed to ensure that distribution of the software does not result in a dedication of the software to the public. IoT product and service providers can lower the height of this hurdle by identifying technology partners for sourcing and licensing sensors, communication devices, and other components from the holder of IP rights in such components.
Another high hurdle that must be cleared is identifying, mitigating and insuring for the new risk exposures and liabilities that must be considered by participants in the IoT. Not only are conventional product liability issues present, but additional sources of risk exposure may surface due to the required connection to a network for operational control, data collection, and data processing.
The addition of internet or network connectivity presents additional opportunity for a device to fail and/or be hacked to cause damage or injury. For example, what additional liability is assumed if a pacemaker provides the functionality for an external care provider to initiate an electric pulse to normalize a heartbeat and the pacemaker is hacked? What is the risk exposure to the device manufacturer, the component manufacturer, or the network provider?
Another unknown and additional risk exposure is assumed through the collection of operational or other data of a device or machine. For example, what duty of care will apply to a car manufacturer that collects information related to engine performance, maintenance, records, tire wear, brake wear, etc., and fails to process and pre-emptively act on such information, particularly when such a pre-emptive act could predict or prevent a malfunction or accident related to the use of the device.
Further, who will be responsible for injury to a party resulting from decisions made by a computer or artificial intelligence related to an IoT product or service? While not all additional product liability risks will be immediately identifiable, spending time up front identifying potential sources of product liability risks and trying to mitigate exposure to such risks could be an existential exercise, particularly for start-up entities.
Risks for Product Manufacturers
One of the repeated hurdles IoT product manufacturers must overcome will be obtaining the trust of the users and consumers so that they trust the product providers to collect and store the personal data collected. Obtaining a user’s trust must be an overarching and driving concern in the development of IoT devices.
How can this be accomplished? The FTC has coined the term “Privacy by Design,” meaning that device and data security must be considered from the very beginning of the design development of IoT connected devices. Thus, the hardware of the device should be such that it can support authentication protocols to ensure the device is connected to the correct network (and not a hacker), the firmware and memory should be such that updates and patches may be received and implemented, and the network architecture must be selected with the intention to minimize the ability for nefarious actors to cause substantial damages through a hack of one IoT device. Moreover, other currently utilized data security and privacy best practices should be implemented and considered during development of IoT devices and services. Of course, the specific course will be unique for each IoT product and service depending upon the particular functionality and scope of operation.
Finally, navigating the regulatory and legal environments for each IoT product or service may also be new for an IoT participants. Generally, for products and services provided in the U.S., the FTC regulates the collection and use of personal information in a commercial setting, and the Federal Consumer Protection Agency regulates consumer products. The scopes of these two agencies now overlap a bit and conformance to each agencies guidance and standards will now have to be at the front of mind of each IoT participant.
Moreover, there is a greater opportunity to run afowl in particularly regulated industries. For healthcare IoT devices, one must navigate HIPAA for collection of personal health information, and also may have to comply with the Food and Drug Administration if the IoT device qualifies as a medical device. Financial services may run into regulation or industry standards from one or more of the Security Exchange Commission, PCI Security Standards Council, Sarbanes-Oxley, IRS, or other regulations. There will also be a substantial opportunity for the industry to shape the standards of the IoT environment through adopting industry standards, and by helping form legislation as much of the IoT is akin to the Wild West right now with no defined boundaries or limits. IoT participants stand to benefit if they can help define the boundaries.
Further, global IoT goods and service providers will also have to navigate similar regulatory and legal environments for each country in which goods or services are provided. A particular and impending concern for IoT participants providing goods and services in the United Kingdom and European Union is compliance with the elevated legal requirements for collecting and processing personal data under the General Data Protection Regulation (GDPR), which is set to go into effect on May 25, 2018.
It is imperative that participants in IoT seek out a comprehensive legal compliance resource who can identify risk and compliance issues, and select a legal team customized for each IoT participant to navigate the legal landscape of participation in the IoT environment to mitigate risk.
This article was originally published by Legaltech News on Feb. 9, 2018. Bob Bowman is a technology attorney in Husch Blackwell’s Technology, Manufacturing and Transportation group, where he is co-leader of the Internet of Things practice area.