It is safe to say that the connected industry will not self-regulate and take the necessary security measures when developing new IoT products. The financial gain following first-mover advantages and CEOs whose bonus and option value lies in business financial performance and not the safety of its customers has led to an unacceptable fragile and insecure connected world.
As more of our lives come under the control of machines, the negative impact of security flaws increases. Politicians worldwide seem semi-aware of this scary development. Small steps to regulate the IoT industry have been taken on most continents, but without any meaningful impact on the industry.
All new regulations have come with recommendations, not hard requirements. Vague laws such as the UK’s and Singapore’s latest cyber security efforts, Bill No. 327 in California and the EU’s new ETSI standard leave too much power to the industry to self-regulate and self-comply. If industries turn a blind eye to soft regulations, what options exist?
Bring class action litigation to vendors with known security flaws in their products
Dalin Robinson presents a very interesting approach in his paper that focuses on class action litigation in the IoT world, titled “Click here to sue everybody: Cutting the Gordian Knot of the Internet of Things with class action litigation.”
In a nutshell, he suggests bringing class action litigation against all IoT vendors with obvious security design flaws, specifically pointing out products from Google, Philips and Samsung. A class action means suing a company for its security design flaw on behalf of all its customers. Class actions are meant to hurt: Punitive damages and having to pay damages to all of its costumes might force the vendors to rethink their security standard for connected products.
Even CEOs have to rethink the situation if potential financial losses lurk in the shadows of class actions. As a result, companies might begin to put security into their product designs as the expected personal bonuses and payouts will be higher that way.
Dalin argues that in the U.S. consumers can use the Magnuson-Moss Warranty Act (MMWA), which is meant to protect consumers from false advertisement and warranties. A plaintiff who brings a MMWA claim for a breach of implied warranty of merchantability is essentially alleging a product was designed or manufactured with flaws so fundamental it should have never been sold.
The Fiat Chrysler incident knocks the doors open
The terrible Fiat Jeep Chrysler vulnerabilities announced by Wired in 2015 revealed how remote hackers took control of a Jeep by exploiting vulnerabilities in the car’s infotainment system. Once the exploit became published, a putative class action seeking meaningful relief quickly followed in the Flynn v. FCA case, which eventually led to three class actions under the MMWA and Michigan’s Consumer Protection Act in 2018.
Undoubtedly, the recall of millions of cars to fix the vulnerabilities, management reshuffling and years of legal battles will take its toll on Fiat, but more importantly, Dalin argues that the approval of these cases for court open the door for a large amount of class actions against all vendors with insecure products.
Make it as easy to sue as it is to accept EULAs
Dalin suggests bringing forward class action litigation against companies with insecure products before any damage has occurred. By doing so, companies will begin to understand that consumers will file class actions if their products are proven insecure, which might be the best deterrent against a highly insecure connected world. If consumers can assemble and initiate class action lawsuits, we only need a couple of verdicts to set the proper precedence for what we as a society expect when it comes to the security of connected devices.
The same can be said for the UK and other large economies that allow class action lawsuits. These countries represent the majority of the relevant markets for vendors of connected devices. If this idea spreads to more countries and consumers win, perhaps we might see a new security standard worldwide because the CEOs will realize doing so will increase their bonus checks.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.