Cybersecurity: End of Year Update

The final month of the year is a time both to reflect on the past and to plan for the future.  This is particularly true in the context of the intersection between cybersecurity and products liability.

In December 2014, we reported about the U.S. Food and Drug Administration’s (FDA) final guidance advising medical device manufacturers of the need for “effective cybersecurity to assure medical device functionality and safety.”  See article.  At that time we advised that the issue of cyber risks was not unique to medical devices but to any consumer products that depended on the proper functioning of software or an internet network connection.

In December 2015, we reported that President Obama had signed into law a $1.1 trillion spending bill that included the Cybersecurity Information Sharing Act of 2015.  See article.  There, lawmakers advised that cyber risks often follow similar patterns and penetrate known vulnerabilities across multiple targets.  Thus, the Cybersecurity Information Sharing Act of 2015 was intended to encourage early cyber victims to share as much information as possible about the experienced data breach with the federal government and other similarly situated companies to arm against future parallel attacks.

This December—as 2016 comes to a close—the Department of Homeland Security (“DHS”) has followed suit and stamped cybersecurity and the Internet of Things (IoT) a matter of national security.  Taking action like the FDA and President Obama in years past, the DHS recently released a new publication titled “Strategic Principles for Securing the Internet of Things (IoT).”  See publication.

DHS released its Strategic Principles to address the fact that IoT security has failed to develop at the same pace as innovation and deployment.  For this reason, the DHS’s publication highlights the safety and economic risks that have arisen related to the rapidly expanding IoT.  From a more practical standpoint, the DHS publication “provide[s] a set of non-binding principles and suggested best practices to build toward a responsible level of security for the devices and systems businesses design, manufacture, own, and operate.”  See publication at 2.

From a defense perspective, our readers should take notice that DHS emphasized the potential legal implications of failing to build security into product design—especially for any network-connected device (an ever-expanding category of goods and services).  In a blue call-out box, DHS writes “[f]ailing to design and implement adequate security measures could be damaging to the manufacturer in terms of financial costs, reputational costs, or product recall costs.  While there is not yet an established body of case law addressing the IoT context, traditional tort principles of product liability can be expected to apply.See publication at 5 (emphasis added).

It is believed DHS was called into action following a year of increased distributed denial of service (“DDoS”) attacks that hacked into IoT devices (think webcameras and DVR machines).  The layman’s definition of a DDoS attack is one where an online service is made unavailable because it is overwhelmed with traffic from multiple compromised—or malicious—sources.  The household devices are often targets for a variety of reasons, including: (1) the use of hard-coded default passwords; (2) failure to integrate authentication procedures; and (3) inability to update remotely.  Guarding against these types of vulnerabilities in IoT is included throughout DHS’s Strategic Principles publication.  In fact, incorporating security at the design phase of a product is one of the five high-level principles DHS includes in its guidance document.

DHS also points out a key problem that exists in the intersection between cybersecurity and litigation: “whose fault is it?”  In its definition of four lines of IoT security efforts across the federal government, DHS identifies that “it is often too unclear who bears responsibility for the security of a given product or system.”  In response to this problem, DHS suggests “identify[ing] and advance[ing] incentives for securing IoT devices and networks,” listing “tort liability” as a possible solution.  See publication at 13-14.

To date, tort claims borne out of cybersecurity vulnerabilities typically arise in the context of privacy breaches or straight negligence claims, hinging on a breach of duty.  However, the DHS’s suggested “best practice” of building security in at the design phase, rather than at a later stage in product development or commercialization, raises the question of whether future litigants will gain traction alleging defective design claims against products where the main injury is one related to cybersecurity vulnerabilities or breaches.