Fifty Billion Connected Devices Bring Tort, Software Law Clash

Bloomberg Law’s combination of innovative analytics, research tools and practical guidance provides you with everything you need to be a successful litigator.

By Julie A. Steinberg

Feb. 25 — Over 50 billion consumer devices and products will connect to the Internet by 2020, according to some estimates. The exponential growth of the so-called Internet of Things will create a host of product liability concerns, and potentially significant new business for lawyers, as the old law of the physical world runs up against the new law of the online world.

“The next phase of huge product liability litigation will come from the Internet of Things,” plaintiffs' attorney Steven Teppler, a partner in the Abbott Law Firm in Jacksonville, Fla., told Bloomberg BNA recently.

The product liability challenge embedded in connected devices, which include everything from smart coffee pots and ovens to medical devices and cars, is “the collision between two traditional sets of legal questions,” law professor Andrea Matwyshyn of Northeastern University in Boston told Bloomberg BNA.

On the one hand we have “relatively established product liability law dealing with physical objects, where we've basically created a series of legal protections for consumers to enable them to have a minimum floor of functionality and safety,” she said.

And consumers have recourse in tort and contract law if something goes wrong, said Matwyshyn, a visiting research collaborator at the Princeton Center for Information Technology Policy in New Jersey.

On the other hand is “this universe of end-user license agreements that govern in practice almost all the consumer's engagement with software and software-related products, where traditionally companies have disclaimed any and all responsibility for functionality, standards and liability risk,” she said.

“That world is now going to clash with the traditional world of physical products,” Matwyshyn said.

And that world is getting bigger and bigger.

Everything's Connected

There may come a point in time where all household appliances and electronics are is connected to the Internet, defense attorney H. Michael O'Brien told Bloomberg BNA.

Manufacturers want to sell the data the products generate, or they want to be able to better service the product, O'Brien, a product liability attorney and partner at Wilson Elser in White Plains, N.Y., said.

But the appeal of an oven or a coffee maker that can be programmed remotely through a smartphone app, or a refrigerator that tracks groceries and sends a list to the store, may come at a price.

Connected devices, at least at present, typically are “poorly designed” and “have very little baked-in security,” said Teppler. “How do you ensure the coding won't end up harming people?”

Another concern is that the effects of a design flaw may be magnified in an IoT device because of the sheer number of units that are affected by a common defect in the code, said Teppler, who leads his firm's technology-based, class action and mass tort litigation practice group.

Information Deficit

Another problem is the lack of pre-buying consumer information.

Consumers don't have enough information to make purchasing decisions based on a connected device maker's security testing, Matwyshyn said.

As courts start to struggle with product liability questions, there's a “need for an information-nudge,” she said, a new regime “to allow consumers to reward the companies that invest in robust information security testing.”

“That model has not yet emerged. Hopefully, it will emerge in the next five years,” she said.

The stakes are high in the resolution of legal issues governing connected consumer devices, Matwyshyn said.

“When it's just my ‘[computer] operating system crashing and deleting a chapter of a book, that's annoying,” Matwyshyn said, “but we've accepted that.”

“Now imagine it's the operating system of my car that crashes, that could mean my car crashing and causing physical harm,” she said.

Matwyshyn said cars increasingly come with end-user license agreements for the software in the car that limit liability.

But can the maker of the whole product, such as a refrigerator, be held liable for the failure of software as a component part? “The answer to this question is legally unclear,” Matwyshyn said, and goes to the tension between end-user license agreements and traditional product liability law.

“IoT device malfunctions are both physical and software-based, so they are likely to provide some of the early test cases that force judges to address this tension in liability models and either (1) take a side or (2) create a third new intermediate model of liability for IoT products,” Matwyshyn said.

Discovery and Investigation

Some aspects of litigation in this area will remain similar to traditional product liability law.

If a connected product such as an oven fails and a fire results, forensic engineers would investigate and determine if the product played a role in the fire. They would try to isolate cause just as they would in a suit involving a conventional appliance alleged to have caused a fire, O'Brien, the defense attorney, said.

However, he noted that the overlay of the software in an IoT device adds “another layer of complexity” to that type of traditional investigative work in product liability cases. “It brings into play the question what new engineering discipline do you need to bring in, to make a forensic determination?”

Also offering a scenario involving an oven, Matwyshyn hypothesized that a coding flaw in the product's remote preheat function could cause the house to burn down. She asked, “Is that the fault at all of the consumer who chose to pre-set the oven, and perhaps was the starting point for the situation but wasn't the only contributing variable?”

Matwyshyn and O'Brien said it's possible in some situations that a defendant would argue a consumer played a part in bringing about damage, for example by not updating software.

“There, we'll get into discussions, undoubtedly with expert testimony, about what levels of care are appropriate on the part of the consumer and what constitutes reasonable care in the construction of these products,” Matwyshyn said.

The Federal Trade Commission has adopted the position that every maker of a code product, which, by necessity, includes all connected devices, needs to implement reasonable security measures in the code, she said.

“Figuring out how that standard of reasonableness on the part of the manufacturer will interact with some component of care on the part of the consumer will be developed in case law,” Matwyshyn said.

Privacy Concerns

Moving forward, the discovery process in connected device litigation could implicate privacy concerns, O'Brien said.

“I envision situations where a consumer who is a plaintiff in a lawsuit may be asked in discovery to make available information from their handheld devices or tablets if they operate an IoT product that is the subject of a property damage claim and they program and control the device by the handheld or tablet,” he said.

“The friction will occur when people begin to resist turning over their devices that contain all manner of data as they may feel that it is an invasion of privacy,” he said.

“This type of discovery might be to determine if a hack occurred or if the updates to software that allows the IoT connected product to function properly were not installed,” he said.

The information might be a basis to claim contributory negligence or comparative fault on the part of a consumer. Or it might help establish that the product failure was caused by the actions of a third party intentionally, such as when a hack makes the product cause damage, O'Brien said.

Current Litigation and Standing

Some consumers have already filed would-be class suits against automakers and toy companies.

Standing, or whether enough harm has been shown to proceed with these cases, is emerging as a contested issue.

In November, a judge in the U.S. District Court for the Northern District of California dismissed a suit by a would-be class of plaintiffs who alleged Toyota, Ford and GM failed to ensure the electronic security of their vehicles.

The court found the elements of standing weren't met and plausible injury wasn't shown. No plaintiffs alleged hacking actually occurred in a real-world situation, only that it could occur.

“The thrust of the decision was that there was no immediacy of injury,” O'Brien said.

The court entered judgment for the automakers Feb. 22, after the plaintiffs said they wouldn't file an amended complaint, in Cahen v. Toyota Motor Corp., N.D. Cal., No. 3:15-cv-01104, judgment 2/22/16.

In another car case, defendants have raised a lack of standing, as well as other issues, in recent motions to dismiss a suit against FCA US LLC and Harman International Industries Inc, Flynn v. FCA US LLC, S.D. Ill., No. 15-00855, motion filed 2/19/16.

That suit followed a Wired Magazine report about a remote hack of a Chrysler Jeep, in which software developers took control of a moving vehicle through its Internet-connected “infotainment” system.

And parents who bought VTech learning toys for their children filed would-be class suits against the company after learning that its database had been hacked, affecting information from millions of people, including children.

A judge in the Northern District of Illinois recently consolidated the five suits that are pending before him over these toys, in In re VTech Data Breach Litig., N.D. Ill., No. 15-10889, consolidation 2/10/16.

In yet another suit over smart toys, two mothers have sued Mattell, alleging the company's Hello Barbie isn't as secure as it should be and recorded voices of children without parental consent, in Archer-Hayes v. Toytalk, Inc., Cal. Super. Ct., No. BC603467, complaint filed 12/5/15.

Medical Devices

An extremely frightening scenario involves medical devices that can be hacked, resulting in potential or real patient harm.

The Food and Drug Administration reported in 2015 that a Hospira Inc.-made Symbiq pump that infuses drugs at a patient's bedside could be hacked through hospital networks, causing an over- or under-dose .

In 2013, former Vice President Dick Cheney said he had disconnected his defibrillator from the Internet because of concerns about a hack, O'Brien recounted.

O'Brien said he wasn't aware of any current suits involving medical devices, but, “When people hear this, they get concerned.”


O'Brien, the defense attorney, said there appears to be some overlap between IoT-related security breach suits and earlier security breach suits that didn't involve products.

“My understanding is that some courts have been willing to dismiss cyber breach class actions brought by consumers who claim the theft of their personal information may subject them to future damages such as misuse of their personal information for credit fraud, etc.,” he said.

“Courts have dismissed these actions claiming the threat of injury is not enough to establish actual harm or damages,” O'Brien said.

“That may be where the battle ground will be,” he said. Or, at least one of the first battlegrounds, as standing is a threshold issue that needs to be shown at the beginning of litigation.

However, Matwyshyn said the FTC “is certainly receptive to those claims.” The agency has entered into more than 50 consent decrees with various companies because of unreasonable levels of security, she said.

The agency's enforcement activity isn't tied to actual harm, but the likelihood of harm, said Matwyshyn, former senior policy adviser to the FTC on privacy and security.

“The evolution of case law as a parallel sanction is something courts will continue to grapple with in their construction of economic loss/harm and causality,” she said.

More Work for Plaintiffs' Lawyers

Matwyshyn also said FTC enforcement activity could be a signal to plaintiffs' firms looking for potential clients, because an “agency with expertise believes an unreasonably low level of security existed.”

Teppler, the plaintiffs' lawyer, said the world of connected devices and product liability is “still a developing area.”

“There aren't a lot of cases yet,” but with so many things connected to the Internet, “it's only a matter of time,” he said.

Teppler, who is involved in the Barbie and VTech litigation, said his firm is starting out by looking at products aimed at children and the infirm, which include many seniors.

But any household appliance or monitoring system that malfunctions and causes property damage could wind up the subject of an investigation for a possible suit.

For attorneys looking into a report of a fire or other damage, you ask yourself the old standard questions about causation in traditional product liability cases, Teppler said. “You find yourself asking, ‘Is there a manufacturing defect?' ”

But, these days, and more and more in the future, you should also ask, “ ‘Is the product operated by computer code?'  ”

Now, he said, “The question should always be, ‘Is this a connected device?' ”

To contact the reporter on this story: Julie A. Steinberg at

To contact the editor responsible for this story: Steven Patrick at

Request Litigation on Bloomberg Law