IoT security leads to legal headaches

Are the IoT’s security issues placing the industry on the road to a litigation nightmare?

The old adage is that there are only two guarantees in life — death and taxes. When it comes to Black Hat, the same can be said of Charlie Miller and Chris Valasek talking about the Jeep Hack and us writing about it on Kaspersky Daily (here, here, here, and here).

The two did speak at the annual conference in Vegas this year, but instead of focusing on the Jeep Hack, the pair discussed the urgent issue of securing autonomous vehicles. Miller and Valasek’s research from 2015 was an integral part of another talk, however, given by Ijay Palansky, a partner at Armstrong Teasdale and lead counsel for a class action lawsuit against Fiat Chrysler. His talk was called “Legal Liability for IoT Cybersecurity Vulnerabilities.”

As the case moves through the court system, Palansky warned that lawyers across the country would be keeping a close eye on it, and that it could be the start of more litigation around the insecure space of the IoT.

In the past, we’ve covered many instances of items that are delivered to the consumers with security vulnerabilities. They include a wide range, from baby cams that can be viewed by anyone and toys that spy on kids to the infamous Jeep hacking.

With so many of these insecurities reported and customers affected, one might wonder why there has not been a slew of lawsuits. The answer, according to Palansky, is that until the Jeep case, there was no precedent set.

With no precedent for the new cases, lawyers pushing litigation will be entering uncharted territory. That means this upcoming case could be the little push that starts a boulder moving down a hill. That boulder could be good for consumers. But what about companies?

The Jeep case will take some time to move through the courts, but companies shouldn’t wait for the resulting decision. They need to start acting now to avoid joining Fiat Chrysler in the unenviable position of defendant. So, what should companies do in terms of security?

To that, Palansky noted that the makers should start thinking more seriously about their security and be more clear in their terms of use and disclosure of when patches are issued for flaws. Regarding the fact that with enough skills and perseverance, everything can be hacked, Palansky suggested that companies have to hire good lawyers — and not just good ones, but ones who understand the technology. He added that these lawyers should also help with manuals, training, and so forth when advising on customer communications about product usage.