THE INTERSECTION OF PRODUCT LIABILITY LAW AND THE INTERNET OF THINGS

LUCAS M. AMODIO

INTRODUCTION ...... 1 I. THE INTERNET OF THINGS ...... 3 II. ISSUES WITH DATA BREACHES ...... 6 III. PRODUCT LIABILITY LAW OVERVIEW ...... 8 A. TYPES OF PRODUCT LIABILITY ...... 8 B. THEORIES OF LIABILITY ...... 10 C. LIABLE ENTITIES ...... 11 IV. THE INTERSECTION ...... 12 V. THE FEDERAL TRADE COMMISSION ...... 18 VI. PROPOSED GUIDELINES ...... 21 CONCLUSION ...... 24

2021] The Intersection of Product Liability Law and The Internet of Things 1

THE INTERSECTION OF PRODUCT LIABILITY LAW AND THE INTERNET OF THINGS

LUCAS M. AMODIO*

Abstract: Every year, an increasing number of Internet of Things devices are released. These devices can make our lives easier, but they also make our data, and potentially ourselves, more vulnerable to hackers. The question is no longer theoretical, as many of these devices can have a real impact on the world around them, like a networked sprinkler system that, if hacked, could flood a target’s basement. Going forward, we can look to the current law of product liability and the Federal Trade Commission to protect individuals from harm and loss when these devices might be compromised.

INTRODUCTION

As data breaches involving millions of stolen records become an everyday occurrence, it raises new issues as hackers can access real world devices and physically harm people and property. New devices come out every day which connect to the Internet, affect the real world, and elevate users’ convenience.1 Known as the Internet of Things (IoT), these devices communicate with each other, enabling networks of shared data and improving user experience.2 Want to double check a diaper without having to smell it? Internet connected diapers can tell parents when to change the diaper and how the baby is sleeping.3 Want to give a delivery person one-time access to the garage to drop off a package? With a smart garage door opener, a user can check the current status of the door (open or closed), create a one-time use code for a delivery person to use, and even check every time that the garage door opens.4 Concerned about the COVID-19 virus? Wear a face mask that includes sensors that test the moisture you expel for the

______* Patent Attorney, Armstrong Teasdale LLP, C|EH Certified Ethical Hacker, J.D. 2013, Indiana University Maurer School of Law; M.B.A. 2005, Indiana University; M.S., Applied Computer Science 2001, Purdue University; B.S. Computer Engineering, Rose-Hulman Institute of Technology, 1997. Special thanks to Patrick Rasche and Monica Kriegel at Armstrong Teasdale and to my wife, Miriam Cherry, and our three dogs, Plato, Socrates, and Schopenhauer, for their support. 1 10 Powerful Internet of Things (IoT) Examples of 2020 (Real-World Apps), SOFTWARE TESTING HELP, (Nov. 13, 2020), https://www.softwaretestinghelp.com/best-iot-examples/. 2 Matt Burgess, What Is the Internet of Things? WIRED Explains, WIRED (Feb. 16, 2018), https://www.wired.co.uk/article/internet-of-things-what-is-explained-iot. 3 Samantha Murphy Kelly, Pampers Is Making a ‘Smart’ Diaper. Yes, Really, CNN BUS. (July 19, 2019), https://www.cnn.com/2019/07/19/tech/pampers-smart-diapers/index.html. 4 Trevor Harwood, Best WiFi and Bluetooth Smart Garage Door Openers, SMART HOME SCOUT, https://www.postscapes.com/wifi-garage-door-opener/ (last visited Nov. 11, 2020).

2 Boston College Intellectual Property & Technology Forum [BC IPTF virus.5 Heading home and want to warm up or cool off the house for arrival? Access the house’s remote control thermostat to change the temperature of the house.6 Users can even remotely start a cozy fire in the fireplace.7 Want to take the perfect shower? An internet connected shower can set the temperature, monitor the water usage, and even remotely shut the shower off.8 Want to check on Fido to make sure he is not on the couch? Activate a pet camera that will allow the user to hear and speak to the dog, as well as dispense treats for good behavior.9 The purpose of all these devices is to “enrich the customer experience” and to provide their manufacturers insight into the users, ultimately providing an edge over competing products.10 Although these products can help users control and manage their lives, these devices may also provide a pathway for bad actors, hackers, to access users’ homes and negatively impact their lives. For example, if a hacker is able to control a house’s thermostat, the hacker can turn the heat off in the winter, potentially freezing pipes and causing significant water damage. Or the hacker could remotely turn on a sprinkler system for days, potentially flooding the yard, and perhaps even neighboring basements. There are also IoT devices outside of the home that can cause physical damage. A lead hacking story of 2015 involved two hackers who demonstrated how to compromise an automobile while it was on the road.11 Turning off a driver’s brakes and causing them to crash could hurt people and cause major property damage. For example, if a hacker takes remote control of a vehicle and rams the vehicle into a china shop, who is responsible for the damage to the china shop? The damage to the vehicle? The damage to the driver and/or the passengers? Or even a bystander who was hurt?

______5 Susan Biagi, Sensors that Detect COVID-19 Could Be in Your Next Face Mask, IOT INTEGRATOR (July 29, 2020), https://www.theiotintegrator.com/health/sensors-that-detect-covid- 19-could-be-in-your-next-face-mask. 6 Megan Wollerton, The Best Smart Thermostat of the Year, CNET (Nov. 23, 2020), https://www.cnet.com/news/best-smart-thermostat-of-the-year/. 7 Creating a Smart Fireplace Switch with a Shelly Relay, HOMETECHHACKER (Nov. 14, 2019), https://hometechhacker.com/creating-a-smart-fireplace-switch-with-a-shelly-relay/. 8 Andy Crabtree et al., Probing IoT-Based Consumer Services: ‘Insights’ from the Connected Shower, 24 PERS. & UBIQUITOUS COMPUTING 595, 598 (2020); see also Eric Blank, Would You Shower with Alexa? These Smart Showers Can Make It Happen, THESMARTCAVE.COM, https://thesmartcave.com/best-smart-shower/ (last visited Nov. 20, 2020) (discussing benefits of internet connected showers such as allowing users to calibrate “their preferred water temperature, outlet, flow rate, shower duration, and much more”). 9 Furbo Dog Camera, FURBO, https://shopus.furbo.com/ (last visited Nov. 11, 2020). 10 Tom Raftery, How to Enrich the Customer Experience Using Internet of Things, FORBES (Dec. 21, 2017), https://www.forbes.com/sites/sap/2017/12/21/how-to-enrich-the-customer-experience- using-internet-of-things/#1e16a8705bb0. 11 Andy Greenberg, Hackers Remotely Kill a Jeep on the Highway —with Me in It, WIRED (July 21, 2015), https://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/; see generally CHARLIE MILLER & CHRIS VALASEK, REMOTE EXPLOITATION OF AN UNALTERED PASSENGER VEHICLE (2015), http://illmatics.com/Remote%20Car%20Hacking.pdf.

2021] The Intersection of Product Liability Law and The Internet of Things 3

Courts have encountered difficulties determining damages in data breach cases where private information was stolen.12 Nevertheless, in the case where a house is flooded or a car is crashed into a store, the damages will be more quantifiable. Although technology is generally several years, or even decades ahead of the law, there is an area of law, where the path to the courthouse is well worn and where rules are already in place, that may apply in these situations: product liability law. This area of law may provide a way for victims of physical IoT damage to recover more easily than those that suffer data breaches. To explore this argument further, Part I of this Article discusses the IoT, and the physical damage that hackers could do if they gained control over remotely controlled devices, say, in a user’s home.13 Part II explains how the law surrounding data breaches has not developed in a way that is helpful to parsing these disputes, mostly because the victims of data breaches are unable to show how, precisely, they were damaged in ways that can be recognized by the law.14 Part III provides an overview of product liability law.15 Part IV notes how plaintiffs will naturally turn to product liability law to provide them with a path to recovery. It further describes potential causes of action and notes the instances where a negligence standard would be helpful due to the evolving state of technology.16 Then, Part V discusses recent developments at the Federal Trade Commission to ascertain best practices for security and the IoT.17 Finally, Part VI explores the evolving standards and some additional areas of concern, concluding with ways that manufacturers and installers of IoT devices can be proactive with security and prevent liability before it arises.18

I. THE INTERNET OF THINGS

More than just a buzzword, the Internet of Things (IoT) represents “the ability of everyday objects to connect to the Internet and to send and receive data.”19 This allows everyday objects to provide data for future analysis, such as a health monitor, i.e. counting the number of steps an individual took in a day.20 These devices also allow users to remotely control connected objects, such as turning lights on or off when the user is away from home. This is further described by Jacob Morgan of Forbes.com, who summarizes IoT as:

______12 J. Thomas Richie & John E. Goodman, Yes, but Were You Hurt? Another Data Breach Case Dismissed for Lack of Damages, DECLASSIFIED (Aug. 27, 2019), https://www.classactiondeclassified.com/2019/08/yes-but-were-you-hurt-another-data-breach- case-dismissed-for-lack-of-damages/#page=1. 13 See discussion infra Part I. 14 See discussion infra Part II. 15 See discussion infra Part III. 16 See discussion infra Part IV. 17 See discussion infra Part V. 18 See discussion infra Part VI. 19 FED. TRADE COMM’N, INTERNET OF THINGS: PRIVACY AND SECURITY IN A CONNECTED WORLD, at i (2015) [hereinafter F.T.C. STAFF REPORT]. 20 Neel Mani et al., An IoT Guided Healthcare Monitoring System for Managing Real-Time Notifications by Fog Computing Services, 167 SCIENCEDIRECT 850, 856 (2020).

4 Boston College Intellectual Property & Technology Forum [BC IPTF

[T]he concept of basically connecting any device with an on and off switch to the Internet (and/or to each other). This includes everything from cellphones, coffee makers, washing machines, headphones, lamps, wearable devices and almost anything else you can think of. . . . As I mentioned, if it has an on and off switch then chances are it can be a part of the IoT. . . . The new rule for the future is going to be, “Anything that can be connected, will be connected.”21

The analysis firm Gartner found that there were approximately 6.4 billion IoT units in use in 2016.22 Gartner predicted that that number would rise to 8.4 billion units in 2017 and to 20.4 billion units in 2020.23 Now, in 2020, the estimated number for this year exceeds 31 billion units, with global spending on IoT estimated at $1.29 trillion.24 As the IoT becomes more prevalent as more devices are connected through the Internet, the potential for hackers to cause real physical harm grows with each interconnected device. The first IoT device has been attributed to the Carnegie Melon Computer Science Department.25 In 1982, students connected a Coca-Cola vending machine to the school’s Internet network which allowed them to remotely monitor whether the machine had any soda and what temperature the machine was running.26 This started the IoT tradition of connecting non-computing devices to networks to start making people’s lives easier. The term “Internet of Things” was not coined until much later in 1999. IoT devices are currently used in consumer environments, “such as light fixtures, home appliances, and voice assistance for the elderly.”27 IoT devices are used in commercial environments, such as the “health care and transport industries,” for such innovations as “smart pacemakers,” and in “vehicle to vehicle communications.”28 Further, the “Industrial Internet of Things” enables big data analytics and “smart agriculture.”29 Finally, Infrastructure IoT “enables connectivity of smart cities through the use of infrastructure sensors, management systems, and user-friendly user apps.”30

______21 Jacob Morgan, A Simple Explanation of ‘The Internet of Things’, FORBES (May 13, 2014), https://www.forbes.com/sites/jacobmorgan/2014/05/13/simple-explanation-internet-things-that- anyone-can-understand/#ccace051d091. 22 Press Release, Gartner, Gartner Says 8.4 Billion Connected “Things” Will Be in Use in 2017, Up 31 Percent from 2016 (Feb. 7, 2017), http://www.gartner.com/newsroom/id/3598917. 23 Id. 24 Gilad David Maayan, The IoT Rundown for 2020: Stats, Risks, and Solutions, SECURITY TODAY (Jan. 13, 2020), https://securitytoday.com/Articles/2020/01/13/The-IoT-Rundown-for-2020.aspx. 25 John A. Rothchild, Net Gets Physical: What You Need to Know About the Internet of Things, ABA BUS. L. TODAY (Nov. 17, 2014), https://www.americanbar.org/groups/business_law/publications/blt/2014/11/03_rothchild/. 26 Id. 27 Maayan, supra note 24. 28 Id. 29 Id. 30 Id.

2021] The Intersection of Product Liability Law and The Internet of Things 5

Furthermore, for the purposes of this discussion, IoT devices can be divided into two different categories: those designed for data collection and analysis and those that interact with the real world. Many of the IoT devices in the wild are data collection and collation devices, such as fitness trackers and other examples like weather monitoring sensors.31 These IoT devices collect data about their environment and provide it to applications for analysis. When these devices are hacked, information can be stolen and potentially misused, but most of these IoT devices do not actively affect their surroundings. For the other type of IoT devices, those that can directly affect the real world, malicious individuals can use or misuse these devices in a multitude of ways to cause damage. Although being able to remotely program and operate these devices may be a convenience to the user, the network connections also open the user up to damage and/or injury if these devices are breached. In addition to taking over the autonomous vehicle,32 hacked medical devices could pose a significant health risk to a patients,33 hacked smart appliances may be overloaded to start a fire or otherwise harm consumers34 (e.g., stove, fireplace, and refrigerator), and hacked doors can be remotely unlocked for thieves.35 For purposes of this discussion, there are three situations in which an IoT device could potentially be used to cause damage and/or injury. First, where the IoT device directly causes the damage, aka the stove is set to catch on fire, the locks are opened for thieves, or the pacemaker causes a dangerous arrhythmia in the patient. Second, where the IoT device did not directly cause the damage but was used as a pathway to the IoT device that caused the damage. For example, where the IP camera was hacked and allowed access to other IoT devices on the network, such as the appliances that caused the damage. A network is only as secure as its components. This is emphasized in one case where an Internet connected fish tank at a casino was hacked and then used to steal data from the casino network.36 There the IoT device was the weak point in the security of the

______31 THOMAS H. DAVENPORT & JOHN LUCKER, RUNNING ON DATA: ACTIVITY TRACKERS AND THE INTERNET OF THINGS 5–6 (2015); BRUCE HARTLEY, THE INTERNET OF THINGS - WEATHER MONITORING TOO 6 (2012). 32 Greenberg, supra note 11. 33 Shaun Sutner, FDA and UL Weigh in on Security of Medical Devices, IoT, IOT AGENDA (July 20, 2015), https://internetofthingsagenda.techtarget.com/feature/FDA-and-UL-weigh-in-on- security-of-medical-devices-IoT. 34 Swapnil Bhartiya, Your Smart Fridge May Kill You: The Dark Side of IoT, INFOWORLD (Mar. 3, 2017), https://www.infoworld.com/article/3176673/your-smart-fridge-may-kill-you-the-dark-side- of-iot.html; see Ashley Carman, Smart Ovens Have Been Turning on Overnight and Preheating to 400 Degrees, VERGE (Aug. 14, 2019), https://www.theverge.com/2019/8/14/20802774/june-smart- oven-remote-preheat-update-user-error (discussing dangers of connecting mobile devices to oven appliances and “the added risk of an oven preheat being a tap away”). 35 Zack Wittaker, Security Flaws in a Popular Smart Home Hub Let Hackers Unlock Front Doors, TECHCRUNCH (July 2, 2019), https://techcrunch.com/2019/07/02/smart-home-hub-flaws-unlock- doors/. 36 Lee Mathews, Criminals Hacked a Fish Tank to Steal Data from a Casino, FORBES (July 27, 2017), https://www.forbes.com/sites/leemathews/2017/07/27/criminals-hacked-a-fish-tank-to- steal-data-from-a-casino/#5feb50d332b9.

6 Boston College Intellectual Property & Technology Forum [BC IPTF system.37 Finally, the third is where the IoT device is compromised and used to perform denial of service attacks on other IoT devices, which causes damage and/or injury.38

II. ISSUES WITH DATA BREACHES

Data breaches have become an almost every day occurrence. In 2020, many users of popular photo and video sharing platforms had their profiles leaked. In 2020, a massive data breach exposed the profiles of over 235 million Instagram, TikTok, and YouTube users.39 Security experts warned that users should be aware of spam and phishing efforts that could result from this data leak. Although this latest group of breaches were the result of unsecured databases, hackers have exploited many different platform vulnerabilities in past attacks. Unfortunately, such data breaches have become incredibly routine. In fact, they are an almost daily occurrence, and there is a dedicated Wikipedia page that lists these data breaches among companies, such as medical providers, that safeguard our most confidential information.40 When data that is supposed to be secure and private is breached, it can be devastating and expensive for individuals and companies. Of known public data breaches, one of the largest, called “Collection #1,” exposed over 700 million unique emails and over 21 million unique passwords.41 Although these breaches are alarming, one conceptual difficulty remains. With each hack, what damage was actually done and how should victims be compensated? Another way to put it is, if 21 million passwords are stolen, was anyone really hurt? The short answer is that it is sometimes difficult to tell. If those stolen emails and passwords were then used to break into other accounts, such as online banking accounts, or used to steal the individuals’ identities to purchase products using the victims’ information, through online stores, then the damage could be quantified. In many cases, however, it will be difficult to determine the exact fallout of these data breaches. Although we know the data is stolen, information on how the data is being used to hurt the victims is not readily available.42 As a result,

______37 Id. 38 See Nicky Woolf, DDOS Attack that Disrupted the Internet was the Largest of its Kind in History, Experts Say, THE GUARDIAN (Oct. 26, 2016), https://www.theguardian.com/technology/2016/oct/26/ddos-attack-dyn-mirai-botnet (describing DDOS attack launched by compromised IoT devices that seriously disrupted Internet operations). 39 Davey Winder, 235 Million Instagram, TikTok and YouTube User Profiles Exposed in Massive Data Leak, FORBES (Aug. 19, 2020), https://www.forbes.com/sites/daveywinder/2020/08/19/massive-data-leak235-million-instagram- tiktok-and-youtube-user-profiles-exposed/#68aa8e9c1111. 40 List of Data Breaches, WIKIPEDIA, https://en.wikipedia.org/wiki/List_of_data_breaches (last visited Nov. 11, 2020). 41 Victoria Song, Mother of All Breaches Exposes 773 Million Emails, 21 Million Passwords, GIZMODO (Jan. 17, 2019), https://gizmodo.com/mother-of-all-breaches-exposes-773-million- emails-21-m-1831833456. 42 Michael Hooker et al., Have We Reached the Tipping Point? Emerging Causation Issues in Data-Breach Litigation, 94 FLA BAR J. 8, 9–16 (2020).

2021] The Intersection of Product Liability Law and The Internet of Things 7 courts have had challenges in determining standing and quantifying damages based on data breaches.43 As a threshold matter, can the plaintiff prove that the harm allegedly suffered was directly caused by the data breach in question?44 Courts are beginning to require that plaintiffs prove that a specific data breach was the cause of their harm.45 The second challenge is showing that the plaintiff was actually harmed by the data breach.46 In a 2017 case from the D.C. Circuit, Attias v. CareFirst, Inc., the court dismissed all of the claims for damages except for two individuals that claimed actual identity theft.47 As these claims are more nebulous and more directed to the potential for harm than actual, quantifiable harm, litigants will have a more difficult time proving “injury in fact.”48 Although plaintiffs have successfully alleged that they were damaged solely by nature of their data being stolen, such as the Target breach settlement of $18.5 million,49 Yahoo’s $117.5 million class-action settlement,50 and the Equifax breach settlement with up to $425 million for those affected by the breach,51 the actual damages are hard to quantify. Despite the increasing amounts of the settlements in these cases, there is no standard for how to calculate damages for individuals whose private information is compromised. For example, in the Equifax settlement, some of the damages include paying those affected $25 an hour for time spent recovering from identity theft or fraud.52 Damages directly related to physical injuries or property damage are quantifiable and can be addressed, not by data breach theories, but by product liability law. So what happens if an Internet of Things (IoT) shower is hacked and the user is burned, or the shower is caused to constantly run, causing flooding? In most circumstances, the hacker is unavailable, judgment-proof, or may be outside of the jurisdiction.53 At this point, consumers may turn to product liability law to recover on their losses from one or more of the manufacturers, sellers, retailers, and or IoT device installers.

______43 Id. 44 Id. 45 Id. 46 Richie, supra note 12. 47 Attias v. CareFirst, Inc., 865 F.3d 620, 625–26 (D.C. Cir. 2017). 48 Hooker, supra note 42. 49 Kevin McCoy, Target to Pay $18.5M for 2013 Data Breach that Affected 41 Million Consumers, USA TODAY (May 23, 2017), https://www.usatoday.com/story/money/2017/05/23/target-pay-185m-2013-data-breach-affected- consumers/102063932/. 50 Kelly Tyko, Yahoo Data Breach Settlement 2019: How to Get Up to $358 or Free Credit Monitoring, USA TODAY (Oct. 14, 2019), https://www.usatoday.com/story/money/2019/10/14/yahoo-data-breach-117-5-million-settlement- get-cash-monitoring/3976582002/. 51 Equifax Data Breach Settlement, FED. TRADE COMM’N (Jan. 2020), https://www.ftc.gov/enforcement/cases-proceedings/refunds/equifax-data-breach-settlement. 52 Id. 53 Eldar Haber, The Cyber Civil War, 44 HOFSTRA L. REV. 41, 54 (2015).

8 Boston College Intellectual Property & Technology Forum [BC IPTF

III. PRODUCT LIABILITY LAW OVERVIEW

Product liability law is a series of laws designed to protect the consumer, for the purpose of holding those that make and distribute products responsible for the injuries that those products cause.54 For product liability law to apply, the products are traditionally limited to tangible personal property.55 The damages may include economic injury, such as the product being rendered unusable, physical injury, and damage to property. Although there is no federal product liability law, various states have codified product liability laws. Nevertheless, these laws vary by state and product category. As defined by the Third Restatement of Torts,56 there are three categories of product liability: manufacturing defect, design defect, and inadequate instructions or warnings defect.57 The common law has defined three major theories of liability which include: breach of warranty, negligence, and strict liability.58 This section will explore how product liability law applies to the world of the Internet of Things (IoT). Part A will discuss the three categories of product liability and provide examples of how each category can be applied to IoT.59 Part B will discuss each of the major theories of liability and how they connect with IoT.60 Part C will explore how product liability law in IoT may expose multiple entities to liabilities.61

A. Types of Product Liability

A manufacturing defect exists when “the product departs from its intended design even though all possible care was exercised in the preparation and marketing of the product.”62 This includes poor-quality materials or shoddy workmanship. An example would be an electrical cable where the insulation is not sufficient due to an error in manufacturing, which may lead to a shock or electrocution. In the world of IoT, an example of a manufacturing defect may include where an IoT device has a physical button that needs to be pressed to reset the password. During the manufacturing process, however, solder is dropped on the circuitry for the button, which causes the IoT device to consider the button to always be pressed. This could allow someone to remotely change the password and take control of the device, which could prevent the true owner from accessing the device. A design defect is when “the foreseeable risks of harm posed by the product could have been reduced or avoided by the adoption of a reasonable alternative design by the seller or other distributor, or a predecessor in the

______54 RESTATEMENT (THIRD) OF TORTS: PRODUCT LIABILITY § 1 (1998). 55 Id. § 19. 56 Id. § 19.2. 57 Id. 58 Id. § 1. 59 See discussion infra Part III.A. 60 See discussion infra Part III.B. 61 See discussion infra Part III.C. 62 RESTATEMENT (THIRD) OF TORTS: PRODUCT LIABILITY § 2 (1998).

2021] The Intersection of Product Liability Law and The Internet of Things 9 commercial chain of distribution, and the omission of the alternative design renders the product not reasonably safe.”63 In other words, the design of the product causes it to be inherently dangerous or useless no matter how it is manufactured. For example, the gas tank in the Ford Pinto was placed between the rear bumper and the rear axle, which led to leaks and fires during rear-end collisions.64 A parallel in the IoT world would be a device that stores a hardcoded administrator password in the device’s firmware. By design, this device would be insecure. Even if the password is not given to the users, security researchers or hackers would be able to discover the password by reviewing the device’s software or firmware.65 Finally, a marketing defect is also known as a failure to warn. A marketing defect exists when “when the foreseeable risks of harm posed by the product could have been reduced or avoided by the provision of reasonable instructions or warnings by the seller or other distributor, or a predecessor in the commercial chain of distribution, and the omission of the instructions or warnings renders the product not reasonably safe.”66 This covers hidden dangers and ensures that users are provided with proper instructions on the use of the product. An example of a product that would require proper warning is a set of Christmas lights that heat up over time. The manufacturer must provide a warning to the user not to leave the lights lit for more than three hours. An IoT example, would be where the user is instructed to change the password from the default “12345” that the product is set with initially. Another IoT example would be where the user is instructed to set- up two-factor authentication on their device, rather than just a username and password. Two factor authentication is where the user provides two different authentication factors to access the device. The factors include: something a user inputs, such as a password or pin; a physical item the user has, such as an ID card, phone, or fob, or something unique to the user, such as biometric identifiers (e.g. a voice print or finger print).67 For example, to access an IoT device, the user may be required to provide a username and password and then enter a unique code that is texted to their phone or email to access the program.68 Recently, not instructing the user to set-up two-factor authentication has been used to allege a failure to provide adequate security.69 ______63 Id. 64 Dennis Gioia, Pinto Fires and Personal Ethics: A Script Analysis of Missed Opportunities, 11 J. BUS. ETHICS 379, 280–381 (1992). 65 See, e.g., THE EXPLOITEERS, Hack All The Things: 20 Devices in 45 Minutes, YOUTUBE (Oct. 2, 2014), https://www.youtube.com/watch?time_continue=24&v=h5PRvBpLuJs (demonstrating instances where hackers cracked the password of various devices using a Universal Asynchronous Receiver/Transmitter). 66 RESTATEMENT (THIRD) OF TORTS: PRODUCT LIABILITY § 2 (1998). 67 Seth Rosenblatt & Jason Cipriani, Two-Factor Authentication: What You Need to Know (FAQ), CNET (June 15, 2015), https://www.cnet.com/news/two-factor-authentication-what-you-need-to- know-faq/ (explaining what two-factor authentication is and describing different authentication methods). 68 Id. 69 See Complaint at 11–12, LeMay v. Ring LLC, No. 2:20-cv-00074 (C.D. Cal. filed Jan. 03, 2020) (alleging that failing to require users to set up two-factor authentication equates to poor security).

10 Boston College Intellectual Property & Technology Forum [BC IPTF

B. Theories of Liability

Breach of warranty claims usually cover one or more of the following types: breach of express warranty, breach of implied warranty of merchantability, and breach of implied warranty for a particular purpose.70 An express warranty is an express statement that the manufacturer or seller made about the product. Specifically, “[a]ny description of the goods which is made part of the basis of the bargain creates an express warranty that the goods shall conform to the description.”71 For example, an advertisement stating that a particular chainsaw is powerful enough to cut through a two inch steel bar creates an express warranty. An implied warranty of merchantability is inherent to cover the normal expectations common to products (e.g., that the product is fit for the ordinary purposes for which such goods are used).72 For example, in the above scenario, there may be an implied warranty of merchantability that the chainsaw could be used to cut off a tree branch. An implied warranty of fitness for a particular purpose applies when the buyer wishes to use a product for a particular, but non- ordinary purpose.73 Nevertheless, to establish such a claim, the seller needs to know the buyer’s purpose for purchasing the product and the buyer had to rely on the seller’s skill or judgment to select or furnish suitable goods.74 An example of a breach of the implied warranty of fitness for a particular purpose would be where an individual buys an electric chainsaw for the purpose of cutting the Thanksgiving turkey. If the seller knows that the buyer bought the chainsaw for this purpose, and still sells the chainsaw, the seller is implying that the chainsaw could be safely used for that purpose. If the chainsaw is too powerful and cuts through not only the turkey, but the plate, the table, and the user’s leg, then the implied warranty of fitness for a particular purpose has been breached. In the IoT world, a self-driving car comes with an express warranty that it may be used to safely transport the passengers from one point to another. If the user wishes to travel from his or her home to the grocery store, there is an express warranty that the car will get them to the grocery store. In addition, there is an implied warranty that the car will get the user to the grocery store safely. The user can expect that the car will drive on the roads, not the sidewalks, and obey traffic laws. Moreover, there is an implied warranty that the self-driving car will drive the user to the grocery store in an efficient manner. For example, a user can expect that the car would not take a 20-mile detour before reaching the destination. Negligence means a failure to meet a standard of care that someone of ordinary prudence would have exercised.75 This standard of care is based on industry standards. For this theory of liability, the plaintiff must also prove that the plaintiff’s injury was a direct result of the defendant’s negligence. Negligent ______70 See U.C.C. §§ 2-313, 2-314, 2-315 (2019) (listing each type of warranty breach). 71 U.C.C. § 2-313. 72 Id. § 2-314. 73 Id. § 2-315. 74 Id. 75 See RESTATEMENT (THIRD) OF TORTS: NEGLIGENCE § 3 (2010) (defining negligence as a failure to exercise reasonable care).

2021] The Intersection of Product Liability Law and The Internet of Things 11 conduct may consist of either an act, or an omission to act when there is a duty to do so.76 The plaintiff must also show that the defendant should have foreseen the risk at the time of manufacture or sale. One issue with using negligence as a theory of liability for IoT products is that the industry is still very new, and a standard of care for IoT has not yet been developed. Furthermore, the Federal Trade Commission has agreed that “legislation aimed specifically at the IoT at this stage would be premature.”77 Therefore a standard of care for IoT devices needs to be developed before this theory of liability may be used. Strict liability applies where the manufacturer is automatically liable if the product is defective, even if there was no discernable negligence. Under strict liability, a plaintiff may recover (1) if the product was defective; (2) if the defect was caused by the Defendant; and (3) if the defect caused personal injury or property damage.78 In the classic words of Justice Traynor, “It is to the public interest to discourage the marketing of products having defects that are a menace to the public.”79 Under a strict liability theory, the tortfeasor is not only liable to the direct customers and users, but also to any innocent bystanders randomly injured by defective products. These products are generally considered inherently dangerous or prone to causing serious injuries.80 One example of products covered by strict liability is aircraft. Although air travel is safer than driving, aviation accidents can result in serious injury or death. If there is a mechanical defect in the aircraft, then the manufacturer is automatically liable under strict liability. If this serious injury standard is applied to IoT devices, then a prime example is a self-driving car. Although a self-driving car could supposedly be safer than one driven by an average driver, a defective self-driving car has the potential for causing significant injury to both individuals and property.

C. Liable Entities

Under product liability law, multiple parties in the chain of commerce could be potentially liable. Depending on the jurisdiction, this may include the manufacturer of the product, the manufacturer of one or more component parts, the party that assembles the product, the wholesaler, the retail store that sold the product to the consumer, and even the installer of the product. Although certain individuals in the chain of commerce may be indemnified by others in the chain, many may attempt to point the finger at the user for improperly using the device and/or the device installer for improper installation. With IoT devices becoming more commonplace, the individual product installer could be targeted frequently. Examples could include the house builder who integrates IoT devices such as

______76 RESTATEMENT (SECOND) OF TORTS § 282 (1965). 77 F.T.C. STAFF REPORT, supra note 19, at 49. 78 RESTATEMENT (SECOND) OF TORTS § 402 (1965). 79 Escola v. Coca-Cola Bottling Co., 150 P.2d 436, 441 (Cal. 1944) (Traynor, J., concurring); see Greenman v. Yuba Power Products, 377 P.2d 897, 901 (Cal. 1963) (discussing Justice Traynor’s concurring opinion in its analysis of a strict liability case). 80 See RESTATEMENT (SECOND) OF TORTS § 402 (1965) (stating a seller is subject to liability if a product is “unreasonably dangerous”).

12 Boston College Intellectual Property & Technology Forum [BC IPTF thermostats into the house, the technician who wires the house with IP cameras, and the homeowner’s brother-in-law who comes over to set up a new device.

IV. THE INTERSECTION

This Section will examine how product liability law can be applied to a hacking case within the Internet of Things (IoT). The first question to ask is what defect in the device caused the property damage or personal injury. For purposes of this discussion, a lack of security or too little security could be considered a defect for the purposes of bringing a claim under product liability law. Poor security could be considered a defect if the low or lack of security was the “but for” cause of the injury. Nevertheless, just because a system was hacked does not necessarily mean that it had inadequate security. Therefore, a “reasonable cybersecurity” standard needs to be applied to the hacked IoT device to determine if the device had a reasonable amount of security. This reasonable cybersecurity standard could be considered a safe harbor for those manufacturing, installing, and maintaining IoT devices. By providing security for these devices that at least meets or exceeds the standards, the manufacturing, installation, and maintenance companies would be able to prove that they were not negligent and did not create a defect in the IoT device. There are two major issues that should be considered when looking at inadequate security as a defect. This may come as a disappointment, but the first issue is that no computer system or software is ever going to be one-hundred percent secure.81 There are several reasons for the lack of one-hundred percent security. The primary reason is actually the users. In fact, “the weakest part of [a] system will be administrators, users, or technical support people who fall prey to social engineering.”82 Social engineering, in this context, is where a hacker uses deception to manipulate individuals into divulging confidential or personal information to use for fraudulent purposes. Hackers can then use that information to gain access to protected systems and information.83 Examples of social engineering include phishing emails, where a malicious actor reaches out to individuals pretending to be tech support and attaches malicious links or files. When users interact with the links or files, the malicious actor can be granted access to the system.84 Through the use of trickery, the hackers are able to gain access more easily than just guessing login credentials.

______81 Scott Norberg, Why Making a Software System 100% Secure Is Impossible, BLOGGER (July 6, 2014), http://scottnorberg.blogspot.com/2014/07/why-making-software-system-100-secure.html (describing the inherent risks to information security). 82 JOHN VIEGA & GARY MCGRAW, BUILDING SECURE SOFTWARE: HOW TO AVOID SECURITY PROBLEMS THE RIGHT WAY 93 (2002). 83 What is Social Engineering?, KASPERSKY, https://usa.kaspersky.com/resource- center/definitions/what-is-social-engineering (last visited Oct. 28, 2020). 84 See Mike James, 5 Ways to Spot a Phishing Email, NAT’L CYBERSECURITY ALL. (Aug. 22, 2018), https://staysafeonline.org/blog/5-ways-spot-phishing-emails/ (describing how to identify the common characteristics of phishing emails).

2021] The Intersection of Product Liability Law and The Internet of Things 13

Next, there is a tradeoff between the user-friendliness and the security of the system. Generally, the more secure a system, the more difficult it is for the average user to use. As most IoT devices are designed to be used every day by non-technically savvy individuals, most users would avoid or circumvent systems with significant or complex security controls.85 In addition, computers are extremely complex and a combination of factors may be used by an attacker to circumvent security in a yet unheard of manner.86 Finally, complexity can lead to vulnerabilities as well. The more complex a system or the software programs are, the more likely that there are vulnerabilities in at least one of the hardware or software components, or in how the two interface. These vulnerabilities may be used by attackers to breach the security of the system. Accordingly, a consumer cannot rely on a device being one-hundred percent secure. The second major issue with looking at inadequate security as a defect is that security is constantly evolving. Security is a constant battle between those trying to secure devices and those trying to break into them. As computers and algorithms improve, what was once considered secure becomes insecure. One example is Wired Equivalent Privacy (or Wireless Encryption Protocol) (WEP) encryption. WEP encryption was included in the IEEE 802.11 wireless networking standard and introduced in 1997.87 It was believed to be secure, but by 2001, security researchers were able to show how to crack the code to intercept and read message traffic using WEP encryption. As of June 30, 2010, the Payment Card Industry prohibited use of WEP encryption.88 Therefore, the constantly evolving nature of cybersecurity must be considered when looking at security as a defect. An analysis of the three theories of liability leads to a potential way forward. Applying strict liability theories to the security of IoT devices could be too high of a standard to meet and could seriously injure this rapidly growing industry. First, as previously described, there is no such thing as a one-hundred percent secure system. Therefore, just because a system was hacked does not mean that the security was defective. As a policy matter, it might be best to only apply strict liability to those IoT devices that would be inherently dangerous if misused, such as automobiles and implanted medical devices. If the security was breached for these products, then the manufacturer could be automatically liable for any damage caused by a hacker. This would force the manufacturers to pay close attention to the security of the products. As a commenter stated at the 2013 FTC hearings, “There is no financial incentive to companies to make their devices secure. When is the last time that you saw a bad review on Amazon because some

______85 Jason R. C. Nurse et al., Guidelines for Usable Cybersecurity: Past and Present, in 2011 THIRD INTERNATIONAL WORKSHOP ON CYBERSPACE SAFETY AND SECURITY (CSS) 21, 21–22 (2011). 86 Id. 87 IEEE COMPUTER SOCIETY, WIRELESS LAN MEDIUM ACCESS CONTROL (MAC) AND PHYSICAL LAYER (PHY) SPECIFICATIONS 62–66 (1997), http://ant.comm.ccu.edu.tw/course/92_WLAN/1_Papers/IEEE%20Std%20802.11-1997.pdf. 88 WIRELESS SIG IMPLEMENTATION TEAM, PCI SEC. STANDARDS COUNCIL, INFORMATION SUPPLEMENT: PCI DSS WIRELESS GUIDELINE § 4.4 (2009).

14 Boston College Intellectual Property & Technology Forum [BC IPTF product had a security vulnerability? Never.”89 Despite the lack of incentive, automobile manufacturers have the wherewithal to secure their vehicles, and customers would be willing to pay for the peace of mind. Nevertheless, applying such strict liability standards to smaller devices, such as IoT toasters and cameras, might be devastating to the industry as it keeps evolving. The breach of warranty theory may be used to attempt to show that the manufacturer or seller of the device expressly warranted that the device would be secure. Yet, there is no such thing as a truly secure device. Therefore, even if the manufacturer or seller states otherwise, no reasonable person who has been watching the news for the last few years would believe any device is truly secure. Misleading the buyer might be better covered under false advertising, and the remedy might be more viable through the Federal Trade Commission and/or individual states’ mini FTC Acts.90 Of the three theories of liability, a lack of security or too little security in an IoT device best fit under the theory of negligence. Under negligence, the manufacturer and others would have to secure the device to the standard of care for the industry. Currently, there is no standard of care for the security industry or the IoT industry.91 In addition, general appliance and device industries do not have a security standard of care. Although there is a standard of care for the manufacturing and installation of a washing machine, such as safeguards to prevent flooding, the washing machine industry does not have a standard of care to prevent malicious hacking due to that washing machine being connected to the Internet. Although there is no true industry standard of care for security, best practices are beginning to emerge. For example, standards on passwords and data encryption are starting to come to the forefront. Nevertheless, the constant arms race between attackers and defenders may lead to another problem with IoT devices. Although the devices may last for many years, the security initially loaded into the device may become outdated. This raises the question: for how long in the lifecycle of the device is the manufacturer liable for the security of the device? Many of these products are sold as-is and the manufacturer has no easy way to update them. For example, Chrysler had to update the software in all of the Jeep Cherokees to prevent a potential hack that would allow a remote hacker to take control of the vehicle.92 Two security researchers discovered how to remotely access a Jeep Cherokee, rewrite the code in the vehicle, and remotely control systems in the car ranging from the radio, to ______89 John Rothchild, Net Gets Physical: What you need to know about the Internet of Things, BUS. L. TODAY (Nov. 17, 2014), https://www.americanbar.org/groups/business_law/publications/ blt/2014/11/03_rothchild/. 90 See, e.g., 15 U.S.C. § 45; N.Y. INS. §§ 2401–09 (2018). 91 15 U.S.C. § 2056 (Consumer Product Safety Standards); see also, Contact/FAQ, U.S. Consumer Prod. Safety Comm’n, https://www.cpsc.gov/About-CPSC/Contact-Information (last visited Dec. 18, 2020) (discussing the CPSC’s authority to develop voluntary standards, issue mandatory standards, and research potential hazards); Voluntary Standards, U.S. Consumer Prod. Safety Comm’n, https://www.cpsc.gov/Regulations-Laws--Standards/Voluntary-Standards/ (last visited Dec. 18, 2020) (discussing the development of voluntary standards in collaboration with stakeholders, such as industry groups, government agencies, and consumer groups). 92 See Greenberg, supra note 11 (highlighting an instance where someone gained access to a Jeep remotely while it was in operation).

2021] The Intersection of Product Liability Law and The Internet of Things 15 the brakes and transmission.93 Jeep responded by releasing a patch that would resolve the vulnerability that the security researchers exploited.94 Yet, Jeep released the patch through USB sticks that were mailed to the owners of the vehicles. This put the burden of patching the vehicle on the owners, which means many vehicles on the road may still be vulnerable.95 When looking at the three potential damage situations, product liability law can be applied to all three of the previously described situations. First, and most obviously, where the IoT device directly causes damage or injury, then those in the supply chain for the IoT device that caused the damage would share some portion of the restitution. This can be adjusted based on the agreements that the different entities in the chain have with each other. This can also be adjusted based on how the security vulnerability was introduced. If the device always had the vulnerability, such as the hard-coded admin password, then the device manufacturer would shoulder the responsibility for the defect and thus should be responsible for paying restitution. If the IoT device was improperly installed by a representative, then more of the liability should rest on the retailer’s, and possibly the subcontractor’s, shoulders. In the second situation, if the IoT device did not directly cause the damage, but still had a security vulnerability that was exploited to access the device that caused the damage, then that IoT device should be included in the analysis of responsibility and damages, even if that device could not directly cause physical damage or injury. For example, imagine a scenario in a smart home, where some Internet Protocol (IP) cameras have poor security, and a hacker is able to remotely access the cameras. The hacker can then leverage that access to compromise other devices on the same network, including any remote- controlled windows. If the hacker subsequently opens the windows during a massive rain storm, which party should be responsible for the resulting damages to the house and the personal property caused by the rain? In this situation, the IP cameras could be considered the “but-for” cause of the damage. If the cameras did not have a hard-coded password, then the hacker would not have been able to get into the house’s network. Thus, for any analysis of product liability claims, the IP camera manufacturer should be considered to have responsibility for the breach due to their poor security. The window manufacturer may even be able to move a larger portion of responsibility for the damage to the IP camera manufacturer. Nevertheless, the IP camera manufacturer could respond that the remote- controlled windows should not have acted on those commands and should have recognized that they were unauthorized commands from an outside source. Liability in this case would depend on the jurisdiction and what the applicable security standard of care for both manufacturers is. But holding the manufacturer of the IoT device (or the installer if it is their fault) responsible for some or all of the damage caused by malicious use of another IoT device would notify all manufacturers (and installers) that they have some responsibility for the security of all of the IoT devices on the network because their devices may be used as a ______93 Id. 94 Id. 95 Id.

16 Boston College Intellectual Property & Technology Forum [BC IPTF point of ingress to access other devices. The security of a network is only as good as its weakest link. The third situation is where the IoT device is compromised and is used to perform denial of service attacks on other IoT devices, which subsequently causes damage and/or injury. In addition to the damage that can be done directly by an IoT device, there is also the possibility of damage that can be done indirectly, such as one that is used in a “Distributed Denial of Service” (DDoS) attack. DDoS attacks occur when a large number of compromised computers are used to transmit junk data or specifically damaging data at another computer device to overwhelm or shutdown the device. IoT devices are ideal for use in DDoS attacks. IoT devices are usually poorly secured, do not include virus or malware scanners, have a processor that is potentially not being used to its full potential, and have a connection to the internet. This use of IoT devices in DDoS attacks was demonstrated in October 2016, when a massive DDoS attack was launched using compromised IoT cameras and other devices.96 The DDoS attack brought down websites in the United States and Europe by having a “botnet” of IoT devices attack Dyn, an Internet infrastructure company.97 In this case, the botnet was a network of hijacked computer devices that were remotely controlled to carry out the attack.98 It was estimated that at least 100,000 devices were used in the attack.99 One of the significant contributing factors to the DDoS attack was the malware, Mirai, which is known to attack IoT devices with vulnerabilities, such as weak passwords and default passwords.100 One Chinese company, Hangzhou Xiongmai Technology, which makes DVRs and Internet connected cameras, admitted that their devices were significantly involved in the DDoS attack.101 The company stated that older devices that had not been updated to include the necessary fixes to prevent being compromised were used in the attack.102 The company later recalled 4.3 million older cameras due to vulnerabilities that were exploited for the DDoS attack.103 The Mirai malware uses infected devices to scan for available devices and uses common factory default usernames and passwords to log-in to those

______96 Lily Har Newman, What We Know About Friday’s Massive East Coast Internet Outage, WIRED (Oct. 21, 2016), https://www.wired.com/2016/10/internet-outage-ddos-dns-dyn (detailing a DDoS attack on Dyn using IoT devices such as webcams, DVRs, and routers). 97 Nicky Woolf, DDOS Attack that Disrupted the Internet Was Largest of Its Kind in History, Experts Say, GUARDIAN (Oct. 26, 2016), https://www.theguardian.com/technology/ 2016/oct/26/ddos-attack-dyn-mirai-botnet (specifying that the DDoS attack utilized a weapon called the “Mirai botnet” during the attack). 98 Id. 99 Id. 100 Michael Kan, Chinese Firm Admits Its Hacked Products Were Behind Friday’s DDOS Attack, COMPUTERWORLD (Oct. 23, 2016), https://www.computerworld.com/article/3134097/security /chinese-firm-admits-its-hacked-products-were-behind-fridays-ddos-attack.html (discussing the role a Chinese electronics component manufacturer played in the DDOS cyberattack). 101 Id. 102 Id. 103 Michael Kan, Chinese Firm Recalls Camera Products Linked to Massive DDOS Attack, COMPUTERWORLD (Oct. 24, 2016), https://www.computerworld.com/article/ 3134548/security/chinese-firm-recalls-camera-products-linked-to-massive-ddos-attack.html.

2021] The Intersection of Product Liability Law and The Internet of Things 17 devices.104 Then the Mirai malware infects the devices with itself. Most users do not notice, because the IoT device continues to operate normally with an occasional slow-down and some increased bandwidth. The device usually remains infected until it is rebooted.105 A controller can then direct infected devices to attack a specific target with a DDoS attack, such as the Mirai botnet DDoS attack of a building management system in Finland.106 The DDoS attack prevented the building management systems from accessing the Internet and sent the system into an endless reboot cycle, which left the residents with no central heating during a cold Finnish fall.107 This attack could have been deadly if it took place in the middle of winter. With these indirect attacks, manufacturers may be held liable for damage that is caused by DDoS attacks. While the October 2016 attack shut down websites, an attack on critical infrastructure could lead to significant damage. If a company’s products are easy to compromise and then are used in significant numbers in a damaging DDoS attack, the company could be open to liability under product liability law as the cause of the damage. The proof-of- concept has already occurred so companies are on notice that their products could also be used in such an attack. What should be the “reasonable cybersecurity” standard of care for companies involved with IoT devices? While no true standard of care has been put forward by the security industry or any standard setting organization, several government institutions have investigated the matter and put forth their opinions. The National Institute of Standards and Technology (NIST) released a 2014 Framework for Improving Critical Infrastructure Cybersecurity.108 In 2013, the Food and Drug Administration began evaluating device cybersecurity as a criteria for product approval.109 Because the NIST guidelines are non-binding and the FDA guidelines are specific to a particular industry, it may be advisable to look at the Federal Trade Commission’s recent actions for guidance on a potential “reasonable cybersecurity” standard of care.

______104 Charlie Osborne, Mirai DDoS Botnet Powers Up, Infects Sierra Wireless Gateways, ZDNET (Oct. 17, 2016), https://www.zdnet.com/article/mirai-ddos-botnet-powers-up-infects-sierra- wireless-gateways/. 105 Id. 106 Richard Chirgwin, Finns Chilling as DDoS Knocks Out Building Control System, REGISTER (Nov. 9, 2016), https://www.theregister.co.uk/2016/11/09/finns_chilling_as_ddos_ knocks_out_building_control_system/. 107 Id. 108 NAT’L INST. OF STANDARDS & TECH., FRAMEWORK FOR IMPROVING CRITICAL INFRASTRUCTURE CYBERSECURITY (2014), https://www.nist.gov/system/files/documents/cyberfra mework/cybersecurity-framework-021214.pdf. 109 CTR. FOR DEVICES & RADIOLOGICAL HEALTH & CTR. FOR BIOLOGICS EVALUATION & RESEARCH, U.S. FOOD & DRUG ADMIN., CONTENT OF PREMARKET SUBMISSIONS FOR MANAGEMENT OF CYBERSECURITY IN MEDICAL DEVICES 8–9 (2014), https://www.fda.gov/downloads/medicaldevices/deviceregulationandguidance/guidancedocuments /ucm356190.pdf.

18 Boston College Intellectual Property & Technology Forum [BC IPTF

V. THE FEDERAL TRADE COMMISSION

The Federal Trade Commission’s mission is the enforcement of civil U.S. antitrust law and the promotion of consumer protection.110 It was in view of consumer protection that the Federal Trade Commission entered the debate on cybersecurity in 2013.111 Since then, the FTC held a cybersecurity Internet of Things (IoT) conference in November of 2013 and released a Staff Report in 2015 titled “Internet of Things – Privacy and Security in a Connected World” (the “Report”).112 The FTC followed up with the Report in 2015 with additional comments in “The Internet of Things and Consumer Product Hazards” (the “Comments”).113 In the Report and the follow-up Comments, the FTC made several recommendations. First, in the Report, the FTC recommended that “companies should implement ‘security by design’ by building security into their devices at the outset, rather than as an afterthought.”114 Security of devices should be considered at all stages of development.115 Second, the Report recommended that security should be addressed at all levels of the company itself, including training personnel on good security practices.116 Third, companies should ensure that they retain service providers with good security procedures as well.117 Next, for systems with significant risk, companies should analyze security at several levels, including how information is transmitted over Wi-Fi networks.118 Furthermore, companies should consider “implementing reasonable access control measures to limit the ability of an unauthorized person to access a consumer’s device, data, or even the consumer’s network.”119 Finally, “companies should continue to monitor products throughout the life cycle and, to the extent feasible, patch known vulnerabilities.”120 In the Comments, the FTC conceded that “[r]equiring IoT devices to have perfect security would deter the development of devices that provide consumers

______110 What the FTC Does, FED. TRADE COMM’N, https://www.ftc.gov/news-events/media- resources/what-ftc-does (last visited Nov. 13, 2020). 111 See F.T.C. STAFF REPORT, supra note 19, 7–10 (discussing benefits of the IoT). Commissioner Wright dissented from this staff report, and Commissioner Ohlhausen issued a concurring statement. Id. at i n.1, viii n.3. 112 Id. 113 FED. TRADE COMM’N, COMMENTS OF THE STAFF OF THE FEDERAL TRADE COMMISSION’S BUREAU OF CONSUMER PROTECTION: IN THE MATTER OF THE INTERNET OF THINGS AND CONSUMER PRODUCT HAZARDS (2018), https://www.ftc.gov/system/files/documents/advocacy_documents/comment-staff-federal-trade- commissions-bureau-consumer-protection-consumer-product- safety/p185404_ftc_staff_comment_to_the_consumer_product_safety_commission.pdf. [hereinafter F.T.C. STAFF COMMENTS]. 114 F.T.C. STAFF REPORT, supra note 19, at 28. 115 Id. 116 Id. at 29. 117 Id. at 30. 118 Id. 119 Id. at 31. 120 Id.

2021] The Intersection of Product Liability Law and The Internet of Things 19 with safety and other benefits.”121 The FTC discussed best practices for predicting and mitigating safety hazards in line with previously provided guidance. The Comments focused on three specific areas: risk assessment, vendor oversight, and software updates.122 For Risk Assessment, the FTC highlighted that it should be used as a starting point to identify reasonably foreseeable threats and mitigation techniques against those threats. The FTC stated that companies can use the past twenty years of lessons learned by security experts. Areas of concern for IoT devices include, but are not limited to, compromised user credentials,123 point of contact between a service and the IoT device,124 such as interfacing between the device and the cloud, and pre-launch security tests of the device.125 For Vendor Oversight, the FTC charged IoT manufacturers with responsibility to take reasonable measures to evaluate the security of any service providers that they might introduce. The FTC suggested that manufacturers exercise oversight when selecting third-party vendors to provide services, such as connections to the Internet or cloud. In one case, the FTC alleged that the mobile device manufacturer, BLU Products, had failed to maintain reasonable security because it failed to oversee one of its service providers.126 Because of failures on BLU’s part, consumers’ text messages, call and text logs, and real-time locations were shared with a Chinese service provider that did not have a business need for such information.127 In another case, the FTC alleged that Lenovo’s pre-installed third-party ad-injecting software on its laptops created serious security vulnerabilities.128 Third party service providers have been known to be access points into systems, such as the HVAC contractor whose systems were used to

______121 F.T.C. STAFF COMMENTS, supra note 113, at 2; see also Protecting Consumer Information: Can Data Breaches Be Prevented?: Hearing Before the Subcomm. on Commerce, Mfg., and Trade of the H. Comm. on Energy & Commerce, 113th Cong. 4 (2014), https://energycommerce.house.gov/hearings/protecting-consumer-information-can-data-breaches- be-prevented/ (“[T]he Commission has made clear that it does not require perfect security; that reasonable and appropriate security is a continuous process of assessing and addressing risks; that there is no one-size-fits-all data security program; and that the mere fact that a breach occurred does not mean that a company has violated the law.”). 122 F.T.C. STAFF COMMENTS, supra note 113, at 6. 123 See Complaint at 162–69, Twitter, Inc., 151 F.T.C 162 (2011) (The FTC alleged that Twitter gave almost all of its employees administrative access to control of the Twitter system, that Reed Elsevier failed to prevent unauthorized access to sensitive consumer information, and that Guidance Software failed to actually safeguard sensitive personal information ); Complaint at 4, Reed Elsevier, Inc., 146 F.T.C 1 (2008); Complaint at 535, Guidance Software, Inc., 143 F.T.C 532 (2007). 124 FED. TRADE COMM’N, CAREFUL CONNECTIONS: BUILDING SECURITY IN THE INTERNET OF THINGS 3–5 (2015), https://permanent.fdlp.gov/gpo129158/0199-carefulconnections- buildingsecurityinternetofthings.pdf [hereinafter CAREFUL CONNECTIONS]. 125 Id. 126 Complaint at 3, BLU Products, Inc., No. 172-3025 (Apr. 30, 2018), https://www.ftc.gov/enforcement/cases-proceedings/172-3025/blu-products-samuel-ohev-zion- matter; https://www.ftc.gov/system/files/documents/cases/1723025_blu_complaint_4-30-18.pdf. 127 Id. 128 Lenovo (United States) Inc.; Analysis to Aid Public Comment, 82 Fed. Reg. 43013, 43015 (Sept. 13, 2017).

20 Boston College Intellectual Property & Technology Forum [BC IPTF access Target.129 In the Jeep Cherokee case, a third-party service provider provided the cellular connection to the vehicle that allowed the security researchers to remotely hack and then control the vehicle.130 Software updates refer to the manufacturer or service providers’ capability to provide updates that can address uncovered security concerns. The FTC warns companies to stay abreast of threats identified in the marketplace. It also has repeatedly stated that a failure to maintain an adequate process for receiving and addressing security vulnerability reports from security researchers is a violation of Section 5 of the FTC Act.131 Furthermore, companies need to take reasonable steps to address those discovered security concerns, such as by issuing updates and patches. In 2014, the FTC issued a Decision and Order in In re TRENDnet, Inc.132 TRENDnet sold network devices, such as modems, routers, and IP cameras.133 The IP cameras allowed users to view live feeds over the Internet, which the user was required to enter a username and password to access.134 Users could also view the feeds from a mobile app, which would store access credentials to prevent the user from having to reenter them.135 The FTC alleged that TRENDnet “transmitted user login credentials in clear, readable text over the Internet”; “stored user login credentials in clear, readable text on a user’s mobile device”; and failed to both “employ reasonable and appropriate security in the design and testing of the software that it provided consumers for its IP cameras” and “implement a process to actively monitor security vulnerability reports from third- party researchers, academics, or other members of the public.”136 Ultimately, the FTC came to a consent agreement with TRENDnet. In the consent order, the FTC required that TRENDnet implement a comprehensive security program to analyze and address security risks that could arise due to unauthorized access to their IP cameras.137 This security program would include risk assessments to consider the potential risks in: “(1) employee training and management; (2) product design, development, and research; (3) secure software design, development, and testing; and (4) review, assessment, and response to third-party security vulnerability reports.”138 And to address those risks through safeguards including: “(1) vulnerability and penetration testing; (2) security architecture reviews; (3) code reviews; and (4) other reasonable and appropriate assessments, audits, reviews, or other tests to identify potential security failures.”139 Of further interest was that the FTC required TRENDnet to obtain

______129 Target Hacker Broke in Via HVAC Company, KREBSONSECURITY (Feb. 5, 2014) https://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/. 130 Greenberg, supra note 11. 131 CAREFUL CONNECTIONS, supra note 124, at 7. 132 Decision and Order at 26, TRENDnet Inc., 157 F.T.C. 1 (2014). 133 Complaint at 2, TRENDnet Inc., 157 F.T.C. 1 (2014). 134 Id. at 2–3. 135 Id. 136 Id. at 5. 137 Decision and Order at 26–31, TRENDnet Inc., 157 F.T.C. 1 (2014). 138 Id. at 31. 139 Id.

2021] The Intersection of Product Liability Law and The Internet of Things 21 independent assessments and reports on the aforementioned program from a third- party professional. 140 The FTC also required that the third-party professional hold at least one of two certifications: “a Certified Secure Software Lifecycle Professional (CSSLP) with experience programming secure Covered Devices or other similar Internet-accessible consumer grade devices; or as a Certified Information System Security Professional (CISSP) with professional experience in the Software Development Security domain and in programming secure Covered Devices or other similar Internet-accessible consumer-grade devices.”141 Both of these security certifications require passing an examination and are administered by the International Information System Security Certification Consortium, also known as (ISC)².142 Three years later, in another similar situation, the FTC filed a complaint against D-Link Corp., alleging that D-Link failed to take reasonable precautions to protect their devices against preventable security flaws and to protect mobile login credentials, which it stored in “clear, readable text on a user’s mobile device.”143 The above guidelines illustrate the standards of care for cybersecurity of IoT devices that the FTC uses to keep companies accountable. Furthermore, the fact that the majority of the FTC’s decisions end in consent orders demonstrates that companies are willing to follow the agency’s guidelines. Therefore, these negotiated standards of care represent reasonable cybersecurity standards of care for the IoT industry.

VI. PROPOSED GUIDELINES

The specific guidelines that the FTC listed above in the Staff Report, the Comments, and in the Consent Orders show a roadmap toward determining a “reasonable security” standard of care for securing Internet of Things (IoT) devices.144 If the FTC holds companies to these standards for the purpose of producing secure devices, these guidelines may also be considered the starting point for a standard of care for security in negligence complaints under product liability law. The core of these guidelines is encapsulated by the phrase “security by design.” As outlined in the Staff Report, the FTC states that companies should build the security features into their devices from the beginning, meaning the design phase of product development.145 The companies should then consider the security of the device at all stages of the product development. This includes

______140 Id. 141 Id. 142 CISSP- The World’s Premier Cybersecurity Certification, (ISC)2, https://www.isc2.org/Certifications/CISSP (last visited Nov. 12, 2020); CSSLP – The Industry’s Premier Secure Software Development Certification, (ISC)2, https://www.isc2.org/Certifications/CSSLP (last visited Nov. 12, 2020). 143 Complaint at 5, D-Link Corp., No. 132-3157 (Jan. 5, 2017). https://www.ftc.gov/system/files/documents/cases/170105_d-link_complaint_and_exhibits.pdf. 144 F.T.C. STAFF REPORT, supra note 19, at 28. 145 Id.

22 Boston College Intellectual Property & Technology Forum [BC IPTF performing risk assessments to identify reasonably foreseeable threats and mitigation techniques for those threats.146 Security by design also includes having personnel trained in using good security practices as a part of all stages of the product development process, rather than simply hiring someone at the end to add security measures as an afterthought.147 Security by design guidelines should not just apply to the manufacturer of the device, but also to any third-party integrators, installers, and retailers of the devices. For example, those that install the IoT device into homes should be concerned with the security of the devices in the home and how they may interact with each other. One of the issues with the Jeep Cherokee hack was that the hackers were able to use different devices from various manufacturers to re-write the chips in the car’s internal computer network to control the physical components of the car.148 Not only should such manufacturers be concerned about the security of their devices, but they should also anticipate how their devices might interact in tandem with other devices. Furthermore, the integrator or installer working on multiple IoT devices should be concerned about how the different devices interact. If a new home is built with an IP doorbell camera, remote control locks, one or more remote control appliances, and a voice activated hub to control them all, the installer/home builder needs to have designed their security to work together with all of the components. Retailers should also be trained to properly know the level of security of the devices that they sell. Much like a pharmacist asking what other medications an individual is taking, the IoT device sales person should be trained to warn consumers about the security concerns of certain combinations and/or configurations of IoT devices. Security for the product development cycle should also include analyzing how information will be transmitted and received by the IoT device in the field, such as how information might be transmitted over Wi-Fi networks or if the device would be discoverable via Bluetooth.149 Should information transmitted over Wi-Fi be encrypted or otherwise obfuscated to protect unauthorized eavesdropping or injection of bad data? For example, if the IoT device counts steps, then the number of steps probably does not need to be encrypted, but the current location of the user probably should be protected/encrypted. Next, the FTC requests that companies ensure that their service providers also have appropriate security procedures.150 This service provider oversight ensures that the IoT manufacturers and those that set-up IoT devices take reasonable measures to evaluate how their devices interact with and are secured by the services that provide network connections to other devices, provide access ______146 F.T.C. STAFF COMMENTS, supra note 113, at 3. 147 See F.T.C. STAFF REPORT, supra note 19, at 28–29 (discussing the importance of companies “building security into their devices at the outset”). 148 Greenberg, supra note 11; Miller, supra note 11. 149 See F.T.C. STAFF REPORT, supra note 19, at 30 (advising companies to evaluate the security risks that arise across various technologies their employees use and suggesting they tailor their approaches accordingly). 150 Id.

2021] The Intersection of Product Liability Law and The Internet of Things 23 to the Cloud, or provide other services that allow the IoT device work as intended. As described above, the cellular provider for the Jeep Cherokee allowed individuals to scan for connected vehicles and would also allow those vehicles to be connected remotely.151 This also includes ensuring that the service provider does not gain unnecessary access to information about the users of the IoT devices. For example, even if the service provider is reliable, data that the service provider is passing back and forth from the cloud to the IoT device should be encrypted to limit eavesdropping, either by the service provider or by someone listening to the service provider’s communications. And finally, the companies should monitor for future developments in security technologies and issues.152 Security is not just a snapshot at a single point in time, but a continuous process from the design stage through when the IoT device is out in the field. By discussing software updates, the FTC expects that companies will be able to update or patch the security on their devices after the devices have gone out in the market. This also means that the updates should be done in a safe manner. Some IoT devices allow for over-the-air updates, where the manufacturer or service provider can allow for updating the device to the latest security patch.153 Nevertheless, this feature can also be a vulnerability, as the Jeep hackers used the update feature to rewrite a car’s chip firmware.154 Another question that still has yet to be resolved is who is responsible for updating the security on IoT devices out in the field. On the one hand, the IT department of a major company may be responsible for the devices they install. After all, the IT department is supposed to be trained on establishing security measures for such installed devices. But what about the user who purchases and self-installs an IoT device, such as an IP camera or thermostat? Should the individual consumer be held to a different standard than the IT professional? The answer should be yes. This issue has not been resolved in the courts or the statutes at this point, but the answer should be that, although the IT professional has the appropriate skills, training, and knowledge to properly secure IoT devices, the average consumer would not. Therefore, the liability would likely remain with the manufacturer, or, potentially, the installer. An installer from Best Buy would have the responsibility of proper installation, which then might transfer over to the manufacturer, or those who provided installation instructions to the consumer. In addition to installation, a manufacturer would have the responsibility of ensuring that the IoT device is capable of updating to the latest security patches without requiring much, if any, user interaction. For example, a simple click to approve an update on a dialog prompt would be reasonable. On the other hand, if a user had to plug the device into a computer and run one or more batch files to patch the IoT device, this would be an unreasonable burden. Most consumers are not technologically savvy enough to perform such updates, and probably would ______151 Greenberg, supra note 11. 152 F.T.C. STAFF REPORT, supra note 19, at 31. 153 Andrew J. Hawkins, GM’s New ‘Digital Nerve System’ Will Enable Over-the-Air Software Updates on All Vehicles, VERGE (May 21, 2019), https://www.theverge.com/2019/5/21/18633000/gm-ota-software-updates-digital-platform-reuss (discussing updating software in vehicles via smartphone-style connectivity). 154 Miller, supra note 11.

24 Boston College Intellectual Property & Technology Forum [BC IPTF not want to take the time to follow through with the update. Accordingly, the onus should be on the manufacturer to make the updating process almost seamless or invisible to the consumer. For example, companies may perform over-the-air updates that allow the IoT devices to update automatically, when the devices are connected to the Internet. Nevertheless, mailing a USB drive to a consumer, and expecting the consumer to properly install the update to a vehicle, would not be reasonable.155 While these guidelines do show a way forward, they have yet to be tested in court. To date, most of the litigated IoT product liability cases have failed on the issue of standing for lack of actual harm.156 In class action lawsuits against Toyota Motor Corp.,157 claims based on foreseeable harm due to potential future hacking were dismissed due to lack of standing because no actual harm had yet occurred. In Ross v. St. Jude Medical Inc., the plaintiff was not harmed by his in- home monitoring system, but alleged the possibility of harm due to lack of security defenses in the system. 158 The plaintiff later voluntarily dismissed the case.159 In other cases, the alleged harm was emotional distress and loss of privacy. In Ashley LeMay et al. v. Ring LLC, the plaintiffs claimed that hackers compromised their Ring© cameras to spy on them and yell at them through the devices, but no physical damage or injury was found in this case.160 Thus far, the courts have held that having a potential for harm due to hacking is not enough, and therefore, the scope of product liability law will not be fully realized until someone is actually physically harmed by a compromised IoT device. Until then it would be advisable for manufacturers of IoT devices to conform their product development to exercise a reasonable standard of care for cybersecurity, such as that proposed by the FTC.

CONCLUSION

Product liability law appears to be a way forward for protecting consumers of IoT devices from the physical damages from malicious hacking attacks. When a hacker successfully attacks a user’s thermostat or car and causes actual damages, the user should be able to file a complaint against the manufacturer and the installer. If the security of the breached system does not reach the reasonable cybersecurity standard of care outlined by the FTC, the user should be able to plead using the theory of negligence that the lack of or low security was a defect in the device and was the “but for” cause of their injury. While no security set-up will prevent all hacking attempts, manufacturers may use the reasonable cybersecurity standard of care outlined by the FTC as a guideline for security in the devices that they manufacture. This standard of care will encourage manufacturers to take reasonable precautions and keep up with the ______155 See Greenberg, supra note 11. 156 Leta E. Gorman, The Era of the Internet of Things: Can Product Liability Laws Keep Up?, 84 DEF. COUNS. J. 1, 6–9 (2017). 157 Cahen v. Toyota Motor Corp., 147 F. Supp. 3d 955, 971 (N.D. Cal. 2015). 158 Ross v. St. Jude Medical, Inc., No. 2:16-cv-06465 (C.D. Cal. Aug. 26, 2016). 159 Gorman, supra note 156, at 7. 160 Ashley LeMay et al v. Ring LLC, No. 2:20-cv-00074 (C.D. Cal. Jan 03, 2020).

2021] The Intersection of Product Liability Law and The Internet of Things 25 latest developments when it comes to security that will protect consumers in the long run. Furthermore, ensuring that manufacturers coming into the IoT space are aware of the risks of liability will help to encourage that the security of the IoT products is taken seriously. In addition, manufacturers and installers should be aware that the security of their devices affects the security of the other devices on the network. They do not want to be the ones that left the door open to let a hacker into the network as they may be held liable for damages caused by their providing access to other devices. These installers and manufacturers should also be aware that poor security practices may cause their devices to become part of larger attacks that could cause significant damage. If those companies left flaws in their devices that allowed their systems to easily become part of large attack botnets, those companies may potentially become liable for the damage caused by those botnets. While no uniform standard of care yet exists when it comes to security, the actions of the Federal Trade Commission show that the Federal Government is watching this space, and manufacturers are advised to take preemptive measures to ensure the security of their devices so that they do not become a part of the latest hacking scandal.