The IoT liability jumble

The Internet of Things, while already vast and varied, is poised to become vastly bigger. A panel at the RSA conference said that makes the legal liability issues around vulnerabilities and failures very complicated

The Internet of Things (IoT) is disrupting just about every industry. But it may get disrupted itself as the nation’s legal and regulatory system slowly catches up with the massive security and privacy risks it creates.

Not anytime soon, however. “Work in progress” was the operative phrase at a panel session at this week’s RSA conference titled, “Flaming toasters to crashing cars – the Internet of Things and mass liability.”

Most of the problem with establishing legal liability surrounding the IoT is that while its growth is regularly called “explosive,” there is a lot more, and bigger, exploding yet to come.

The number of connected things is expected to expand so exponentially that one of the panelists, Jay Brudz, an attorney at Drinker Biddle & Reath, declared that “Internet of Things” is already a “dumb phrase. In years to come, it’s going to be everything but computers with a human interface, so it’s just going to be the Internet,” he said.

Another panelist, Eric Hibbard, CTO for security and privacy at Hitachi Data Systems, agreed that the IoT, as vast as it appears, is “still in the early days. NIST (National Institute of Standards and Technology) has some materials on this, but the broader set is a work in progress.”

That does not mean nothing is happening. Nithan Sannappa, a privacy and data security attorney at the Federal Trade Commission (FTC), said the agency is interested in IoT consumer products or services, and has brought about 50 cases against various companies, mostly focused on the, “inadequacy of the company’s network.”

[ MORE FROM RSA: See all the news happening at the show ]

Sannappa was the lead attorney on the recent settlement between the FTC and ASUSTek Computer over flaws in its consumer routers.

While the company had promised that customers could, "safely secure and access your treasured data through your router,” the FTC found that, “hackers used easily accessible tools to locate and exploit (them), gaining access to more than 12,900 consumers' storage devices.”

The FTC’s authority comes under its role in sanctioning companies that demonstrate, “unfair and deceptive” business practices.

But the FTC settlements so far haven’t included any heavy financial penalties – in most cases the companies agree to improve their security and to submit to audits. If they violate the terms of the agreement, they can then be subject to fines.

And while that may send a signal to other manufacturers about not promising what they are not delivering, Hibbard and Brudz both said in the rush to get connected devices to the market, security remains an afterthought.

Eric Hibbard, CTO for security and privacy at Hitachi Data Systems

“The business model is to launch them and then fix them later,” Brudz said.

Hibbard said this will become a bigger problem since the IoT amounts to “the building blocks of our future environment. The problem is that we’re only thinking three years ahead when we should be thinking 30 years ahead. It’s like our highway system – it would be better if we could completely rebuild our roads, but we can’t. We can only patch them.”

Another problem is that most devices are not easily updated, so when vulnerabilities are discovered, they remain. “Some of them are embedded in your wall,” Hibbard said. “They’re not designed to let you get access.”

And yet another problem affecting legal liability is what Hibbard called, “a mashup of devices – a half-dozen different devices put together in ways they were never designed to be in the first place.”

[ ALSO ON CSO: Security and the Internet of Things – are we repeating history? ]

Those components could be in things ranging from bridges to traffic signals to cars. “From a legal perspective, it opens up interesting areas,” he said. ”If something bad happens, which component made the poor decision that caused the harm?”

Brudz said the legal system also has yet to sort out who is responsible for damages in the case of a breach. In the case of ASUS routers, “is the fault with the guy who made the router, or the guy who stole the information (from customers)?” he asked. “If somebody breaks into your house, can you sue the guy who made the lock?”

What makes it even more complicated is that many attackers are in different countries, far from the reach of American law enforcement or the courts.

Sannappa said some of the biggest names in the private sector, like Apple, Google and Samsung, may help to set overall IoT security standards. “There is a possibility where we could have larger ecosystems, industry leaders, setting up a way for smaller players to have guidance.

“Then regulators can say, this is what you were supposed to be doing and weren’t,” he said.

But there was general agreement that the process will take time. “We may be looking three to four years out before standards start arriving,” Hibbard said. “And I think it is going to be the legal community that is going to weigh in on it.

“It’s going to be a wake-up call to manufacturers and developers to do something about their house of cards,” he said.

Join the CSO newsletter!

Error: Please check your email address.

Tags rsa

More about AppleASUSCSOFederal Trade CommissionFTCGoogleHitachi DataHitachi Data SystemsRSASamsungTechnology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts