Internet of insecurity: liability risks for business

The emergence of the Internet of Things (IoT – the interconnection of everyday objects via the internet) raises important issues relating to security and hacking.  In particular, the potential for civil claims against manufacturers resulting from a failure to provide any or sufficient security is not known.

With respect to product liability, such claims are normally pursued in the UK either under the Consumer Protection Act 1987 (on the basis that the product contains a defect) or for breach of contract on the basis that there is breach of the implied term that any goods supplied be of satisfactory quality.  Hence, the court would need to determine whether a lack of security in an IoT product could amount to either a defect or a lack of satisfactory quality.  The Consumer Protection Act states that there is a defect in a product if the safety of the product is not such as persons generally are entitled to expect.

I doubt that a lack of security in and of itself would suffice to render something ‘unsafe’ under the Consumer Protection Act.  But I can see greater scope for a finding that a lack of security could amount to a lack of satisfactory quality (depending on the circumstances, e.g. if promises were made as to the level of security at the point of sale). In any event, there would be causation issues to consider in either case.

Generally, the deliberate acts of a third party, particularly where those acts are malicious or unlawful (for example, the actions of a hacker) can break the chain of causation such that it will be said that it was not the defendant’s breach that caused the loss but the actions of the third party.  But, in some circumstances the intervening act of the third party may not break the chain of causation where that third party’s conduct fell squarely within the risk that the defendant was supposed to address.  Hence there is some scope to sue an IoT manufacturer for breach of contract if, say, the purpose of the contract was (at least in part) to secure against hackers and where it failed to do.  The determination of such issues will be very fact specific and will rely on determinations as to, e.g., the level of security that persons are entitled to expect.

West_D-9-web Written by Daniel West, associate at BLM

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s