Academic warns over IoT legal liability

Written by Peter Walker
22/05/19

As connected devices increasingly control systems capable of inflicting death or personal injury, a new wave of liability is set to wash over the world of cyber security: strict liability for defective products.

The warning came from Robert Carolina, executive director at Royal Holloway University’s Institute for Cyber Security Innovation, who wrote in a new paper that as the Internet of Things (IoT) grows, risks caused by cyber security failures also grow.

Victims of defective products are not required to demonstrate the ‘fault’ of a product manufacturer, rather it will be enough to demonstrate the existence of a defect in the product that causes harm.

Under European laws, “a product is defective when it does not provide the safety which a person is entitled to expect taking all circumstances into account...”

Carolina explained that for decades lawyers specialising in this field have taken comfort in the widely shared legal opinion that software does not fit within the definition of ‘product’ under European or American law. Even if software was to be viewed as a product, opportunities for defective software design to cause death or personal injury seemed exceedingly rare.

“One long-understood risk of strict liability concerns defective software control systems as a component in safety-critical hardware,” he stated, adding: “The manufacturer of the resulting defective hardware is subject to strict liability claims, irrespective of the source of the defect.”

The IoT now presents a rapidly growing set of opportunities for “death by software”, where connected products - an autonomous vehicle, industrial control system or pacemaker - can be compromised through the design of electrical, mechanical, software, or security systems.

“Thus strict liability applies to products whether safety is compromised through errors in algorithmic decision-making (e.g. an autonomous vehicle decides to swerve into oncoming traffic after misreading road markings) or security errors (e.g. a broken authentication scheme permits a remote hacker to divert the same vehicle into oncoming traffic),” Carolina wrote.

Under current law, defective component ‘product’ manufacturers face strict liability for personal injury caused by automobiles with, for instance, defective brakes installed. Software is not currently thought to be a product in this area of law, but that may be about to change.

Last year, the European Commission (EC) completed a comprehensive evaluation of European product liability law, where the term ‘software’ featured prominently and repeatedly. The EC questioned the extent to which digital products should be redefined as products and thus subjected to strict liability analysis when defects cause death or personal injury.

A Commission Expert Group on liability and new technologies is also currently examining possible changes to the law.

“We seem to be accelerating towards a world in which cyber security failures in the IoT will create increasing risk to life and limb,” said Carolina. “Manufacturers of tangible IoT products already face strict liability if their product is unsafe – including cases where safety is compromised by poor cyber security.

“It appears that software developers, SaaS providers, and other cloud service providers, may soon be required to step up to this same stringent standard of responsibility throughout Europe – we hope they’ll be prepared for the challenge.”

Mark Milton, co-founder and chief executive at cyber security specialists Amberlight Partners, commented: "Given the security and usability of software are now matters of life and death - it is high time that boards devoted resource accordingly."