HOW & WHY SMART SYSTEMS PRESENT NEW LEGAL CHALLENGES
By Erin Fonte
At its most basic level, the “Internet of Things” (IoT) can be defined as the interconnection via the Internet of computing devices embedded in everyday objects, which enables such objects to send and receive data. Gartner estimates as of 2016, there were 6.4 billion connected “things” in use worldwide, and this figure is expected to hit 20 billion by 2020. A subset of the “Internet of Things” is the “Industrial Internet of Things” (IIoT), which refers to connected and smart devices used in business and manufacturing. The IIoT is different from the largely consumer-facing IoT in fundamental ways, as it is directed to serve machines and industrial systems.
There are IIoT-connected devices in oil fields, gas pipelines, water systems, dams and heavy industry, and IIoT underpins the electricity grid, train systems, highways and ports. With this development and deployment of IIoT, there are key legal issues that arise in the realm of connected industrial devices.
Privacy And Data Security
There is growing evidence that IoT devices are not only vulnerable but also regularly hacked. Between the March 2017 WikiLeaks reveal, the CIA used everyday connected devices to gather intelligence, to the Mirai attacks in 2016 during which webcams were recruited into a botnet army that helped knock parts of the internet offline, the problem is serious and growing, and the IIoT is not immune.
But despite the huge numbers and omnipresence of IoT and IIoT, cybersecurity testing is still in its early stages. There are currently few guidelines in place for vendors to use to either test their own products against an industry standard or to inform potential customers (consumer or commercial) that a product is “cyber secure.”
One of the world’s best-known product testers, Underwriters Laboratories (UL), is attempting to fill this gap by delivering cybersecurity validation for IoT devices through its Cybersecurity Assurance Program (CAP).
The organization has developed a cybersecurity standard called UL 2900 and is covering a wide range of products, such as industrial control systems, medical devices, automotive, HVAC, lighting, smart home, appliances, alarm systems, fire systems, building automation, smart meters, network equipment and consumer electronics. Currently, the UL program is testing products submitted by the manufacturers, a model the product testing organization believes is a good option as it gives the vendors the ability to prove the safety of their devices and software.
Questions regarding data ownership in IoT typically center on data collected from factory-connected devices—products embedded with IoT devices and sold to a consumer—that share data back to the manufacturer and can be associated, directly or indirectly, to an individual. This process, which currently happens with connected cards and smart home devices, triggers numerous consumer privacy issues.
But another issue arises with regard to the most appropriate way to protect data generated from IIoT-connected devices. Such data can be classified as company or entity confidential information or trade secrets, but is there also a copyright, or at least a database sui generis right, on such data?
The IIoT also presents unique questions about data ownership between a company and its vendors and suppliers. How does a third party vendor monitor and maintain the rich data provided by a factory’s connected devices, for example? There is intellectual property embodied in this data with associated ownership, security and liability issues that have to be addressed in a company’s contract with the vendor. Moreover, what if the third-party vendor goes bankrupt or dissolves? How will any initial contract address this possible turn of events?
The IIoT creates fundamental changes in the organization of large-scale industrial businesses and may require rethinking basic legal mechanisms for conducting business. It may change the concept of “ownership” of industrial components. It also forces consideration of how best to contractually allocate risks (of both “ordinary” events and catastrophic cyberattacks). The IIoT also requires reexamination of what a business thinks of as its “assets” and is likely to present emerging issues in financing, acquisitions, mergers and insurance coverage.
Take the example of a connected “smart valve” used in oil and gas. This is no longer a traditional buy/sell agreement between two parties for the purchase of the valve. There are now additional parties involved that provide the data to make this valve operate and maintain the software that communicates with the entire system. Did the company purchase this valve from a hardware manufacturer together with its software from a separate vendor, or are these completely separate agreements? Is the data actually purchased, or is it leased (i.e. data ownership issues)? Who provides the maintenance for this data, and what if the data provider goes out of business? All of these issues may drive traditional buy/sell agreements for parts and components more into the “parts-as-a-service” model that mimics current “software-as-a-service” contracts.
A variety of legal disciplines, such as intellectual property, insurance and indemnification, commercial contracting, and antitrust/regulatory compliance, have yet to be considered in depth in their relation to the IIoT. All these practices will, however, interplay with the IIoT in the future.
Let’s go back to our “smart valve” example. Previously, a “dumb” valve would have been a simple part of the system, and after purchasing the valve, the company would have manually controlled the flow of materials (oil, gas, chemicals, syrup) through the valve. Once in operation, the legal concerns would have been relatively minimal.
But a “smart” valve receives information from the control system that determines the flow and even quality of what is moving through the pipes. Initially, the immediate legal concern for this smart valve is cybersecurity. If it is controlled by internal software and operated by data rather than people, it is subject to technical failure and potential attack, with catastrophic consequences. However, there exist legal implications beyond this initial concern.
In the case of connected IIoT technologies, when something goes wrong, it may be difficult to determine the perimeter of the liability of each supplier of the overall company system. And this becomes more complicated for artificial intelligence-driven systems, which rely on massive amounts of collected data. It will become infinitely more complicated to determine the reason a machine took a specific action at a specific time.
As the IIoT continues to develop and evolve, all of these legal issues will become more important in how a company obtains, designs and deploys its IIoT technology.
Erin Fonte is head of Dykema’s Financial Services Regulatory and Compliance Group and a member in the firm’s Austin office. Erin assists clients with a broad range of matters related to FinTech, payments/payment systems, digital commerce, banking & financial services, cybersecurity, privacy and data asset management.