MHC Tech Law: Untangling the web of liability in the internet of things

19 May 2016

The advent of the age of internet of things and connected devices raises many questions – especially about who is responsible if something goes wrong. Mason Hayes & Curran takes a look at some of these issues.

Over the last few years, the internet of things (IoT) has taken the technology sector by storm. Although there is no hard and fast definition, digital devices with internet access that connect to other devices form the building blocks of the IoT.

Gartner forecasts that 6.4bn connected ‘things’ will be in use this year and this number is set to grow substantially over the next few years. Despite its scale, a lot of IoT technology is still in its infancy. Given the possibility of device and network vulnerabilities, many businesses and consumers are trying to understand liability and risk allocation in IoT.

The promise of the internet of things

The IoT promises smart cars, smart kitchens and smart home devices, among other things. Users can usually control the various connected devices on the network using an app on their phones or tablets. However, like any technology, the connectivity of the IoT network and the devices themselves have the potential to malfunction or be hacked. This risk is even more prevalent when some manufacturers appear to be taking the approach of ‘release first and fix problems later’. The question is: who is liable when something goes wrong?

Web of liability

It is important to untangle the IoT web of liability now as, by 2017, there will be more IoT devices in circulation than humans on the Earth. Users of the IoT, and manufacturers, cannot afford to enter into the IoT world unprepared.

Two of the main areas where liability can arise in the IoT are:

  • Device malfunction
  • Cyberattacks and theft of personal data stored on the device or network

As the IoT can connect devices from different manufacturers, it is possible for a user to own a smart fridge from manufacturer A, a smart coffee machine from manufacturer B, and a smart vacuum cleaner from manufacturer C, which are all controlled by a smartphone from manufacturer A that runs IoT software created by a third-party software developer. The IoT’s reliance on a complex chain of connected devices makes it much harder to establish who is liable, under traditional laws and regulations, when something goes wrong.

But, even at its simplest level, if a smart toaster overheats and burns down a house, the homeowner has a range of potential candidates who he or she can claim are liable for the loss. These range from the retailer, to the toaster manufacturer, through to the developers of the phone app or toaster software.

Will one party be wholly accountable? Or will the parties involved in creating and processing the integrated data components of the toaster be liable to some extent?

The risks with interoperability are heightened as many device manufacturers do not have experience designing secure computer networks or implementing security protocols on devices.

Many devices are also likely to be mass produced and, therefore, too cheap or not complex enough to include appropriate security measures to protect personal data.

Product liability

The situation with product liability is simpler today. When a stand-alone consumer device is faulty or malfunctions within a specified period of time, the user is entitled to certain remedies that are implied into every sale.

Under product liability law in Ireland, this includes the entitlement to a repair, replacement or refund from the seller. Product liability will continue to play a role in the IoT. For example, if a smartwatch develops a mechanical fault shortly after purchase the user will be able to return it to the seller.

Degree of liability

Manufacturers of IoT devices, IoT network providers and IoT software developers need to be aware that users may bring claims against one or all of them following a device malfunction or security breach. It is not clear if the aggrieved IoT user will be required to prove that they have suffered damage as a result of an IoT player’s actions or if the courts and lawmakers will adopt a ‘strict liability’ approach.

An alternative approach is for the courts and legislators to consider apportioning liability between everyone involved in the IoT product and network chain, regardless of their culpability. But this is not as simple as it sounds. For example, in the case of an IoT data breach or security hack of a network router, a court would have to decide if liability lies with the router manufacturer, the internet service provider or the actual hacker. The final option may not even be practical, as many hackers reside outside the reach of the law and the courts.

Criminal or civil remedies

In many cases, it is also not clear whether an aggrieved user is entitled to a criminal remedy, a civil remedy, or both. It is likely that the answer will depend on the severity of the liability. For example, a mere malfunction of a smart fitness monitor, leaving the user unable to measure their heart rate at the gym, is not likely to give rise to a civil or criminal conviction.

On the other hand, a smart city malfunction could create both criminal and civil liability. For example, if smart traffic lights installed by the local council malfunction, and an automated car driving under them is incompatible with the traffic lights, meaning that the car fails to stop and drives into an oncoming vehicle, the result could be serious injury to road users.

A situation like this could raise claims of criminal liability. However, it appears unfair to hold the car owner/driver responsible for causing injury when the culprit was in part the malfunctioning traffic lights and in part the malfunctioning car. In this type of situation, looking outside the traditional liability frontiers may be required.

IoT is still a work in progress

Regardless of the nature of the IoT device or network, or how they are used, there is always the potential for a device to malfunction or for a network to be hacked. The IoT will create new risks and this in turn will require a focus on liability.

Lawmakers and regulators will need to consider either new forms of liability, or new ways to manage and apply existing laws to different entities in the IoT supply chain. With the security and privacy risks at the fore of the public’s mind, the IoT is still a work in progress.

Gartner predicts that security of the IoT will be ‘maximised’ by 2020. But liability won’t wait until 2020. It is therefore critical that IoT manufacturers and developers do not wait for guidance from regulators but continue to refine and improve IoT security standards and protocols. This will provide them with a competitive advantage while at the same time improving user confidence in the IoT.

The content of this article is provided for information purposes only and does not constitute legal or other advice.

Tech Law is a weekly series brought to you by Irish law firm Mason Hayes & Curran, whose legal tech team advises the world’s top social media organisations and emerging start-ups. Check out for more.

Want stories like this and more direct to your inbox? Sign up for Tech Trends, Silicon Republic’s weekly digest of need-to-know tech news.

Spider web image via Shutterstock