The Cybersecurity Legal Plot Thickens

Feb. 13, 2018
When it comes to cyber vulnerability and liability, integrators are often stuck in the middle between manufacturers and customers

IoT devices present new challenges to the traditional warranty and liability analysis. The law and legal precedence is still developing, and it may be difficult for parties involved in the “stream of commerce” –manufacturers, sellers, distributors, integrators, installers, etc. – to fully comprehend the liability and warranty issues.

In most if not every state there is an implied warranty of merchantability and implied warranty of fitness for a particular purpose. This means that there is body of law from each state that must be accounted for in a manufacturer’s warranty and liability considerations. Even if a device is sold ‘as is,’ or the manufacturer otherwise indicates in writing that no warranty is given, there still are limitations to such disclaimers of warranty. Some states explicitly forbid ‘as is’ sales.

Individuals may also seek to hold device manufacturers liable under traditional product liability theories.

While the specifics of product liability law vary by state, a basic underlying issue is whether a security vulnerability is a ‘defect’ that renders the device unreasonably dangerous under applicable law. Of course, demonstrating ‘defect’ and ‘unreasonably dangerous’ in IoT devices is still new and evolving.

In addition to traditional products liability law, manufacturers must be aware of regulatory liability as well. For example, the Federal Trade Commission (FTC) sued TRENDnet over security flaws, alleging that TRENDnet “failed to use reasonable security to design and test its software, including a setting for the camera password requirement.” The FTC and TRENDnet settled the suit, which required TRENDnet to establish a comprehensive information security program to address security risks.

Integrators too need to be aware of warranty and liability considerations. Integrators are considered to be in the stream of commerce and customers often seek out integrators as their first line of support; integrators become the face of engagement to customers.

Integrators must be cognizant of obligations they receive from upstream entities (i.e. manufacturers) and the obligations they offer to downstream entities (i.e. the customer). For example, an integrator installing manufacturer devices should not offer any additional representations and/or warranties to its customers on the same devices than offered by the manufacturer itself. When an integrator makes additional representations and/or warranties around manufacturer-provided devices, it may inevitably leave the integrator in the untenable position of being responsible to its customers to whom it has provided such additional warranties, but without the recourse of being able to hold the manufacturer accountable, because the manufacturer may have contractually disclaimed such warranties for the devices.

Installing companies need to ensure when they engage with consumers to provide manufacturer originating products (e.g. software, hardware, etc.) that are governed by a contract where the integrator does not present any additional warranties to the consumer beyond what the manufacturers themselves are willing to offer. Ideally, integrators should consider operating in the ‘reseller model’ and allow manufacturers to be directly responsible (if at all) to the customers.

Integrators do not want to be left holding the bag when manufacturer originating products become a point of failure. To minimize risk in such cases, integrators should seek contractual indemnification from manufacturers. While indemnification will not prevent lawsuits, it may provide another avenue for the integrator to seek payment for its liabilities (depending on how the indemnification language is written).

Siddharth “Sid” Bose is an attorney with Ice Miller's Data Security and Privacy Group in Indianapolis. He counsels clients on various data security and privacy issues dealing with online privacy, vendor contracts and agreements, IT audit, compliance, data breaches, disaster recovery, internet of Things (IoT) and business continuity planning.