Web of liability
September 2017 - Michael Gras
As internet-connected devices become more entangled in our daily lives, emerging security risks must be addressed. And when manufacturers fall short, plaintiff attorneys should be prepared to hold them accountable.
In a relatively short time, the internet has grown from a small network that linked a handful of university computers to a worldwide web that touches every aspect of our lives. We have gone from using the internet on closet-sized computers to having it available everywhere we go on our phones. But that was only the beginning.
Now the internet is connecting to devices that were not traditionally thought of as “high tech”: appliances, cars, thermostats, light bulbs, and even medical devices such as pacemakers and defibrillators.1 According to some estimates, by the year 2020, there will be 50 billion connected devices throughout the world.2 All of the world’s connected devices are collectively known as the “Internet of Things” (IoT).
But while the IoT has great potential benefits, it also brings risks. One risk is that a malicious actor could hack into a connected device and either violate a user’s privacy or affect the device’s operation so that it harms the user or others. Therefore, manufacturers of these connected devices should act responsibly by securing them against cyberattacks.
Principles governing connected device cybersecurity reflect general, long-standing cybersecurity concepts. These devices are essentially little computers that exist on a network—just like “regular” computers. Corporations should not treat the computer systems that host their emails with more care than the devices they put in consumers’ homes and bodies.
As the IoT expands, plaintiff attorneys should be aware of the standards for connected device cybersecurity—and the key cybersecurity concepts underlying them. Armed with this knowledge, you can hold device manufacturers accountable for the harm that results when they fail to follow those standards.
Regulatory agencies and standards-creating organizations such as the International Standards Organization (ISO) and National Institute of Science and Technology (NIST) provide some guidance for connected device manufacturers.
For example, the National Highway Traffic Safety Administration (NHTSA) recently released best practice guidelines for automobile cybersecurity, which apply basic cybersecurity concepts to connected vehicles.3 In its recommendations, the agency cites to industry standards that deal with general cybersecurity issues, such as the NIST “Framework for Improving Critical Infrastructure Cybersecurity,”4 the Center for Internet Security’s “Critical Security Controls for Effective Cyber Defense,”5 and certain ISO standards that deal with general information technology security.6
The Federal Trade Commission (FTC) and the FDA also have released guidance related to connected device security. The FTC’s “Internet of Things: Privacy and Security in a Connected World” report offers a good introduction to many of these topics.7 The FDA also issued guidance for premarket and postmarket phases of connected medical devices.8 Like the NHTSA document, the FDA’s guidance cites to ISO and other industry standards dealing with general cybersecurity concepts and vulnerability reporting.
Medical device manufacturers also must be mindful of medical privacy laws, such as HIPAA. HIPAA requires the secretary of the Department of Health and Human Services (HHS) to adopt security standards and safeguards to protect against “reasonably anticipated threats or hazards.”9 These standards—commonly referred to as HIPAA’s “Security Rule”10—are enforced by HHS’s Office for Civil Rights11 and should apply to connected devices since the information they collect could qualify as protected medical information.
Securing Connected Devices
The industry standards and agency guidance rely on basic cybersecurity concepts that IoT companies should be incorporating when developing their products.
First, connected devices, and the systems they are part of, must be designed with security in mind from the beginning—it cannot be an afterthought. Manufacturers must follow best practices from the start and use redundant security features—also known as practicing a “defense in depth” or a “layered defense” approach to cybersecurity. Then, if any one security feature is compromised, other systems are in place to mitigate the damage from the breach.
Manufacturers must engage in good “access control”: measures to limit access to protected systems, such as using passwords or secure keys. However, good access control alone is not enough. Manufacturers also must know how devices and systems are connected to each other and separate,unrelated systems. Just as a corporation should never host its public website on the same server as its proprietary trade secrets, an automaker should not connect the internet-enabled infotainment system to critical safety systems such as braking and steering. And companies should try to minimize the amount of data they collect whenever possible. Hackers cannot steal data that does not exist.
One of the most important cybersecurity tenets is performing a comprehensive risk assessment. These assessments seek to identify possible threats and evaluate them based on criteria such as the likelihood of the threat occurring, the difficulty of carrying out the threat, and how much damage could be done if the threat was realized. For example, a violation of privacy would be evaluated as less severe than a threat to physical safety.
Manufacturers should perform penetration testing to identify and fix vulnerabilities as soon as possible. Third-party contractors or individuals from within the organization who had no role in the device’s design often perform this task so that a fresh set of eyes can try to discover vulnerabilities before a malicious actor does.
Connected device manufacturers should be responsible for monitoring and supporting the device throughout its life cycle. They should have an effective method for updating devices when new vulnerabilities are discovered, and they should develop a vulnerability reporting and disclosure policy that governs the manufacturer’s relationship with security researchers who may discover new vulnerabilities. Manufacturers should work with the security community to responsibly identify and fix vulnerabilities before they become a problem.12
Sometimes device manufacturers take an antagonistic stance against security researchers. This position is unfortunate and is not helpful in improving security. Other companies, however, work with the security community and welcome its input. Some organizations establish “bug bounty” reward programs that incentivize research into their products: If a new vulnerability is discovered, the company compensates the researcher who found it.
Risks and Potential Liability
Connected devices have three main risks of harm: to the user’s privacy, to the user’s personal safety, and to third parties.
Privacy rights violated. Connected devices are collecting unprecedented amounts of information from our daily lives. In November 2015, for example, hackers accessed confidential information from smart-toy manufacturer VTech, attacking the company’s servers rather than the devices themselves. Hackers gained access to user profiles, chat logs, and even audio recordings of children playing with the toys at home. Consumers sued, alleging violations of state data breach laws and certain state consumer protection laws, negligence, implied contract, and unjust enrichment. The defendants moved to dismiss. The Northern District of Illinois granted the motion in July for lack of subject matter jurisdiction and failure to state a claim.13
The case, however, shows the relationship between connected devices and other systems of which they are a part—the hacker attacked VTech’s servers that were storing the information, not the devices themselves. As discussed above, the FTC recommends data minimization—that companies shouldn’t collect more data than they need. So what purpose would keeping those audio recordings of children serve?
Connected device manufacturers have been sued for the information they collect without any cybersecurity-related allegations.14 For example, in April, Bose headphone users filed a class action against the company, alleging it uses an app that tracks what they listen to (music, podcasts, and more) and sells the information without their permission to third parties, in violation of their privacy rights.15 As connected devices become more prevalent, the data they collect will increase. It is only a matter of time before malicious actors steal financial information, such as credit card numbers, from connected devices.
Physical harm. Hacking certain connected devices, such as cars and medical devices, can cause physical injuries and is a developing area of litigation. Plaintiffs in Cahen v. Toyota, the first car hacking case, alleged that the vehicle network CAN bus, which connected the electronic control units of the cars, was not secure.16 Defendants moved to dismiss based on lack of standing, alleging that the plaintiffs had suffered no injuries. The court granted the motion, and the plaintiffs appealed.17
The most famous example of vehicle hacking happened in July 2015 and was featured in a Wired magazine article discussing how security researchers were able to shut down an unaltered 2014 Jeep Cherokee in highway traffic.18 On a closed course, they also were able to affect other critical systems, such as steering and braking. This hack revealed that vulnerabilities in the internet-connected radio in certain Chrysler vehicles would allow a hacker access to the radio. The troubling aspect, however, was that after accessing the radio, the hacker could then change some code and remotely send commands to the vehicle’s other systems, including the CAN bus.
A few weeks later, a group of Chrysler vehicle owners filed a class action in the Southern District of Illinois against Chrysler and Harman International, the company that makes the Uconnect dashboard computer.19 Even though the vehicles were recalled, the plaintiffs alleged that the recall was deficient because it closed only the specific vulnerabilities that allowed the researchers access to the vehicle and that unsecure systems, such as the radio, are still inappropriately connected to critical vehicle systems. Unless and until the unsecured systems can be properly segmented from critical safety-related functions, these vehicles remain defective and dangerous.
The plaintiffs sued for fraud, breaches of implied and express warranties, and violations of the Magnuson Moss Warranty Act, which governs warranties on consumer products. The defendants moved to dismiss, but the plaintiffs, who are seeking damages for overpayment for cars that are unsafe and for the diminished value of these vehicles, survived the motion.20
Medical devices also have the potential to cause personal injuries. In 2013, Dick Cheney said in a “60 Minutes” interview that his doctors made sure all connectivity was disabled when his pacemaker was installed in 2007.21 He had good reason to be concerned. Later, a security researcher demonstrated the ability to remotely cause a pacemaker to deliver a potentially catastrophic 830-volt shock to the user.22 The same security researcher also discovered a way to trigger implanted insulin pumps to dispense extra, unauthorized doses of the drug.23
The FDA is beginning to take an active role in enforcing cybersecurity standards in medical devices. In April, the agency sent a warning letter to St. Jude Medical, Inc. (now Abbott) after previously finding problems with its implantable defibrillator devices.24 As part of the FDA’s original findings, Abbott was required to, among other things, conduct a comprehensive cybersecurity risk evaluation. The warning letter stated that Abbott failed to properly incorporate this risk evaluation’s findings into its security ratings in violation of 21 C.F.R. §820.30(g), which deals with design validation generally.
This FDA letter appears to represent an expansion of the relevant regulations to include cybersecurity standards and threats, signifying the agency’s belief that a failure to address cybersecurity vulnerabilities implicates problems with general design and validation.
Attacking a third party. One type of IoT risk that’s often overlooked but also could be very serious is a malicious actor using connected devices as a “botnet” army to carry out cyberattacks against other targets. Botnets are groups of infected computers that can be controlled by a central source. These botnets are often used to flood legitimate websites with requests that cause them to crash because they can’t handle the additional traffic—known as a Distributed Denial of Service (DDoS) attack. In most cases, the owner of the infected device isn’t aware that anything is wrong. Outwardly, the device acts normally. But behind the scenes, the device is spewing data at whatever target the virus’s creator wishes.
This scenario has already occurred, and the results were disturbing. In August 2016, security researchers discovered a new computer virus called “Mirai” that spread among millions of internet-connected devices, such as security cameras and routers.25 The virus constantly scanned the internet for connected devices that had weak security and then replicated itself onto those devices. Distributed over millions of connected devices, it then waited for a command to start the DDoS attacks. This botnet was used in a few minor attacks before it targeted Dyn, a major provider of Domain Name System (DNS) servers across the country, which are the backbone of the internet.26 The attack temporarily crippled Dyn’s servers, bringing down many major websites.27
The disruption was large enough to attract the FTC’s attention, which brought an enforcement action against D-Link, the manufacturer of many of the infected devices.28 The FTC accused D-Link of having substandard security on its connected devices.29 For example, all D-Link connected devices were shipped from the factory with a username and password of “guest” available to use.
The FTC alleged that these substandard cybersecurity practices violate §5(a) of the Federal Trade Commission Act, which prohibits “unfair or deceptive acts or practices in or affecting commerce”30—the vulnerabilities could cause unavoidable injuries to consumers, and D-Link misrepresented its devices’ security in promotional materials and policies. D-Link, however, denied having made misrepresentations and argued that past vulnerabilities cannot constitute harm.31
Connected devices are here to stay and will only become a bigger part of our lives. As plaintiff lawyers, we must be diligent to ensure reasonable safety standards and to hold companies accountable when they fail to protect consumers.
Michael Gras is an attorney with Cueto Law in Belleville, Ill. He can be reached at firstname.lastname@example.org.
- Lily Hay Newman, Medical Devices Are the Next Security Nightmare, Wired (Mar. 2, 2017), www.wired.com/2017/03/medical-devices-next-security-nightmare.
- Fed. Trade Comm’n, Internet of Things: Privacy and Security in a Connected World (Jan. 2015), https://tinyurl.com/nhvju4z.
- See generally Nat’l Highway Traffic Safety Admin., Cybersecurity Best Practices for Modern Vehicles (Oct. 2016), www.nhtsa.gov/staticfiles/nvs/pdf/812333_CybersecurityForModernVehicles.pdf.
- Id. at 10 (citing Nat’l Inst. of Sci. & Tech., Framework for Improving Critical Infrastructure Cybersecurity (Feb. 12, 2014), www.nist.gov/sites/default/files/documents/cyberframework/cybersecurity-framework-021214.pdf).
- Id. at 11 (citing Ctr. for Internet Sec., The CIS Critical Security Controls for Effective Cyber Defense (Oct. 15, 2015), https://cybersecurity.idaho.gov/wp-content/uploads/sites/23/2016/10/CSCmaster.pdf).
- Nat’l Highway Traffic Safety Admin., supra note 3, at 11 (citing ISO 27000 series).
- Fed. Trade Comm’n, supra note 2.
- See Food & Drug Admin., Content of Premarket Submissions for Management of Cybersecurity in Medical Devices (Oct. 2, 2014), www.fda.gov/ucm/groups/fdagov-public/@fdagov-meddev-gen/documents/document/ucm356190.pdf; Food & Drug Admin., Postmarket Management of Cybersecurity in Medical Devices (Dec. 28, 2016), www.fda.gov/ucm/groups/fdagov-public/@fdagov-meddev-gen/documents/document/ucm482022.pdf.
- 42 U.S.C. §1320d-2(d) (2012).
- 45 C.F.R. pt.160 (2017); 45 C.F.R. pt.164 subparts A and C (2017).
- U.S. Dep’t of Health & Human Servs., $2.14 Million HIPAA Settlement Underscores Importance of Managing Security Risk–October 17, 2016 (Oct. 14, 2016), www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/sjh.
- The “security community” refers to security researchers—also known as “white hat hackers”—who try to find new vulnerabilities in systems and report them before malicious “black hat hackers” find and exploit them to cause damage. The community meets at yearly conventions—such as Defcon, held in Las Vegas each year—and is very active on Twitter.
- In re VTech Data Breach Litig., 2017 WL 2880102 (N.D. Ill. July 5, 2017).
- Jonathan Stempel, Bose Headphones Spy on Listeners: Lawsuit, Reuters (Apr. 19, 2017), www.reuters.com/article/us-bose-lawsuit-idUSKBN17L2BT.
- Zak v. Bose Corp., No. 1:17-cv-02928 (N.D. Ill. filed Apr. 18, 2017).
- Cahen v. Toyota Motor Corp., No. 3:15-cv-1104 (N.D. Cal. filed Mar. 10, 2015). CAN (Controller Area Network) bus allows different devices (such as brakes and air bags) on a vehicle to communicate with each other through a central protocol.
- Cahen v. Toyota Motor Corp., 147 F. Supp. 3d 955 (N.D. Cal. 2015). At the time this article went to publication, the plaintiffs’ appeal was pending before the Ninth Circuit. Cahen v. Toyota Motor Corp., No. 16-cv-15496 (9th Cir. filed Mar 23, 2016).
- Andy Greenberg, Hackers Remotely Kill a Jeep on the Highway—With Me In It, Wired (July 21, 2015), www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/.
- Flynn v. FCA US LLC f/k/a/ Chrysler Group LLC, No. 3:15-cv-855 (S.D. Ill. filed Aug. 4, 2015). The plaintiffs in this case are represented by the undersigned author of this article.
- At the time this article went to publication, the case was progressing toward the class certification stage.
- Lisa Vaas, Doctors Disabled Wireless in Dick Cheney’s Pacemaker to Thwart Hacking, Naked Security (Oct. 22, 2013), https://tinyurl.com/lqbczrj.
- Jeremy Kirk, Pacemaker Hack Can Deliver Deadly 830-Volt Jolt, Computerworld (Oct. 17, 2012), www.computerworld.com/article/2492453/malware-vulnerabilities/pacemaker-hack-can-deliver-deadly-830-volt-jolt.html.
- Dan Goodin, Insulin Pump Hack Delivers Fatal Dosage Over the Air, The Register (Oct. 27, 2011), www.theregister.co.uk/2011/10/27/fatal_insulin_pump_attack/.
- Food & Drug Admin., Warning Letter to Abbott (St. Jude Medical, Inc.) (Apr. 12, 2017), www.fda.gov/ICECI/EnforcementActions/WarningLetters/2017/ucm552687.htm.
- Symantec Security Response, Mirai: What You Need to Know About the Botnet Behind Recent Major DDoS Attacks (Oct. 27, 2016), www.symantec.com/connect/blogs/mirai-what-you-need-know-about-botnet-behind-recent-major-ddos-attacks.
- Nicky Woolf, DDoS Attack That Disrupted Internet Was Largest of its Kind in History, Experts Say, The Guardian (Oct. 26, 2016), www.theguardian.com/technology/2016/oct/26/ddos-attack-dyn-mirai-botnet.
- Some of the websites included Netflix, Fox News, CNN, Twitter, Reddit, and PayPal. Sam Thielman & Chris Johnston, Major Cyber Attack Disrupts Internet Service Across Europe and US, The Guardian (Oct. 21, 2016), www.theguardian.com/technology/2016/oct/21/ddos-attack-dyn-internet-denial-service.
- Fed. Trade Comm’n, FTC Charges D-Link Put Consumers’ Privacy at Risk Due to the Inadequate Security of its Computer Routers and Cameras (Jan. 5, 2017), www.ftc.gov/news-events/press-releases/2017/01/ftc-charges-d-link-put-consumers-privacy-risk-due-inadequate.
- FTC v. D-Link Corp., No. 3:17-CV-00039-JD (N.D. Cal. filed Mar. 20, 2017), https://www.ftc.gov/system/files/documents/cases/d-link_complaint_for_permanent_injunction_and_other_equitable_relief_unredacted_version_seal_lifted_-_3-20-17.pdf.
- 15 U.S.C. §45(a) (2012).
- At the time this article went to publication, the court had not ruled on the manufacturer’s motions to dismiss, and the case had proceeded to discovery.