IoT Hacks May Bring Frenzy of Litigation
The rush-to-market for connected, embedded, and smart devices has already left security in the rear-view mirror. And despite the Mirai attacks of 2016 and other countless Internet-of-things-related vulnerabilities and security research, little has been accomplished in keeping these devices from becoming an easy port of entry or pivot point for attacks targeting enterprises.
Now to make matters more complicated, here come the lawyers.
Somewhere, there is a conclave of plaintiffs’ lawyers wringing their hands waiting to file suits related to IoT hacks, according to Ijay Palansky, a trial lawyer in Washington, D.C. for the law firm Armstrong Teasdale, who said during the Black Hat security conference in Las Vegas that an inflection point is at hand for plaintiffs’ lawyers. “All conditions are ripe for a wave of these lawsuits,” Palansky said, likening it to a feeding frenzy.
Palansky should know; he’s the lead counsel for a 220,000-member federal class-action related to the Jeep hack disclosed in 2015 by researchers Chris Valasek and Charlie Miller. In their research, Valasek and Miller were able to remotely connected to a 2014 Jeep Grand Cherokee through the vehicle’s onboard and connected entertainment center. In a now famous video featuring Wired senior writer Andy Greenberg, the two researchers were able to take control of the Jeep and manipulate its steering and braking.
The Jeep hack class-action suit has gone further than any other IoT-related litigation, largely because of the complexity of the technology and relationships between the potentially liable parties involved. IoT-related litigation isn’t as relatively cut-and-dried as data breach legal action, for example, Palansky said.
“The relationship between the user and the supply side, and related entities on the supply side ecosystem are all interconnected. This raises challenging complexities when it comes to IoT litigation; it’s hard to predict how this plays out,” Palansky said. “I want to convince people here today that they are radically underestimating the risks and costs associated with the inevitable wave of IoT-based litigation that’s around the corner.”
Any pending or future litigation related to IoT hacks should also serve as a reminder that the implications of vulnerabilities and a lack of consideration toward potential risks impacts enterprises beyond the security team and reinforces that security is truly a business issue.
On the technical side, a number of security issues ail IoT, ranging from a lack of, or poor, authentication (i.e., known default passwords), a lack of encryption securing data in transit, and the fact that for many devices, there just isn’t a way to easily update firmware or patch vulnerabilities. Palansky warns that the 20-billion or so connected devices in the market today have a distinct potential for harm, and people are underestimating the risk of their limited cybersecurity, and proprietary code that makes patching a challenge. Connected cars and medical devices pose a particular concern because they introduce the possibility of physical harm; and when there’s an injured victim, there will be a lawsuit, Palansky said. “The legal rules when there is physical injury is much more favorable to plaintiffs,” he said. “When this happens with IoT and you get attribution, there will absolutely be a suite in every instance.”
Palansky said a pedestrian hit by a car that is hacked remotely could sue everyone in sight, including the driver, vehicle manufacturer, cybersecurity providers, programmers, sensor makers, component manufacturers. The interconnected nature of IoT makes for a legal mess, and the respective defendants will fight it out in court, Palansky said, blaming each other across the board while the plaintiffs’ attorneys sit and watch, and learn. Judges and juries, meanwhile, are not well versed with connected technologies and could hold any and all parties liable if there is any question of whether they took the right level of care, he said. Parties could be exposed to claims of negligence, design defects, breach of warranty, fraud, or fraudulent omission, he said. This could ramp up the costs associated with any litigation, starting with legal fees, paying experts for their time, and the abstract costs associated with the distraction key employees may face prepping for, and during trial.
So why hasn’t this wave started yet?
Palansky said that plaintiff lawyers are excellent at biding their time. “They’re not all ambulance chasers. The good ones invest in lawsuits and get paid through contingency fees; they’re paid if they win. They want to know the likelihood they’re going to win if they succeed,” Palansky said.
The need for harm and attribution to proceed with litigation hasn’t been met in order to proceed with litigation, he said. Yes, there are lots of hacks, but few that are good candidates for lawsuits. Lawyers, meanwhile, still may not be comfortable in their understanding of the technology and relationships between all the parties.
“All of that is on the verge of changing,” Palansky said. “Cyber in IoT is not where it needs to be. There are going to be hacks with cyber-physical impact that will lead to lawsuits. And as there are more suits, plaintiff lawyers are going to be more knowledgeable and you’ll end up with a snowball effect that takes off quickly. The plaintiffs’ bar is talking about this. They’re salivating over this. It’s going to be a feeding frenzy.”
Michael Mimoso brings over a decade of experience in IT security news reporting to Flashpoint. As Editorial Director, he collaborates with marketing, analyst, and leadership teams to share the company’s story. Prior to Flashpoint, Mike was as an Editor of Threatpost, where he covered security issues and cybercrime affecting businesses and end-users.
Prior to joining Threatpost, Mike was Editorial Director of the Security Media Group at TechTarget and Editor of Information Security magazine where he won several ASBPE national and regional writing awards. In addition, Information Security was a two-time finalist for national magazine of the year. He has been writing for business-to-business IT publications for 11 years, with a primary focus on information security.
Earlier in his career, Mike was an editor and reporter at several Boston-area newspapers. He holds a bachelor’s degree from Stonehill College in North Easton, Massachusetts.