Aug 07, 2019The Internet of Things (IoT) is driving business transformation. Its impressive data-collection abilities allow companies to harvest huge amounts of information in real time. When paired with sophisticated data-analytics tools, such as artificial intelligence (AI), businesses can use this data to derive insights into their business operations—creating new revenue opportunities and increasing efficiency. Global IoT spending is expected to reach $745 billion in 2019, and consulting firm Gartner predicts that by 2021, more than 25 billion IoT devices will be in use, up from an estimated 14.2 billion this year.
Although the IoT introduces new opportunities, implementation of IoT systems comes with challenges and risks. IoT devices operate in highly connected networks. The greater the connectivity of solutions, the more opportunities exist for points of failure in operation. Furthermore, a vulnerability in one node of a network can have broad implications throughout the system. Bad actors that exploit deficient IoT security measures can cause numerous harms, including business delays, breaches of security and privacy, and even physical injury.
Another challenge presented by the IoT is making effective use of data. Even when information is collected in a structured format, companies use less than 50 percent of their data in decision-making, and when that data is collected in an unstructured format, the number falls below 1 percent. With these factors in mind, it is not surprising that only 26 percent of businesses believe their IoT initiatives have been successful. So, how do companies utilize IoT solutions while avoiding the pitfalls associated with such technologies?
Companies that implement digital-management strategies up front, beginning with "by design" solutions, can mitigate risk and optimize IoT capabilities. Having a digital-management strategy that gives consideration to safety, security, privacy and data management up front will enable businesses to manage risk in order to turn vast amounts of data into actionable intelligence. "Smart" businesses will further understand that their digital-management strategy cannot be static, in light of changing business requirements, growing threats, evolving regulatory landscapes and the expansion of a supplier base with varied contracting approaches and risk tolerances.
Current Legal Landscape
IoT lawsuits have largely focused on deficient product security and the misuse of consumer data. Plaintiffs filing these claims have alleged that IoT security vulnerabilities and data breaches have subjected them to a risk of future harm, although the bad actors have not actually exploited the security vulnerabilities or misused the information exposed to the data breach. In the absence of actual harm, plaintiffs have struggled to assert the Article III standing necessary in order to pursue these claims.
The Federal Trade Commission (FTC) has also shown its willingness to bring enforcement actions against IoT manufacturers that engage in unfair or deceptive acts affecting commerce, but has similarly struggled in such cases to demonstrate actual harm. But it is only a matter of time before a successful cyberattack occurs—presenting "fundamentally different" high-stakes IoT litigation.
Federal IoT legislation has been proposed in the United States, but the U.S. federal government has yet to pass any of it into law. The Internet of Things Cybersecurity Improvement Act was introduced in the U.S. Senate in 2017. That Act would require vendors selling IoT devices to the U.S. government to enter into certain security-centered contractual provisions. More recently, the House of Representatives passed the SMART IoT Act, which would task the Department of Commerce with conducting a comprehensive study of the IoT industry.
Although no U.S. federal legislation has become law, California recently became the first state to pass legislation directed at the IoT, focusing on device security. The California law will take effect on Jan. 1, 2020, and will require manufacturers of connected devices to equip such devices with a "reasonable security feature."
Similarly, the European Parliament recently approved the EU Cybersecurity Act, which is aimed at establishing certification schemes for ICT products, services and processes sold in the European Union. Such certification schemes applied to IoT devices would make such devices safer and more secure.
Even without IoT-specific legislation in place, the regulatory schemes of different industries may affect how companies can use IoT devices in their businesses. For example, the U.S. Food and Drug Administration regulates medical devices, which may include IoT devices depending on the product's application.
As another example, the U.S. Department of Transportation (DOT) recently released updated policies and guidance to support the continued development of autonomous vehicles, including the use of IoT data collection to enhance their capabilities. The DOT's guidance focuses on safety and providing a path forward to implementation of autonomous vehicles. There are, of course, few industries without IoT use cases and applicable regulatory schemes. Additionally, regardless of industry, companies collecting data through IoT applications are likely to be subject to various data privacy laws such as GDPR.
The first step toward understanding the risk associated with an IoT system is determining what types of data are being collected and the legal obligations associated with that information. For instance, a small business that uses IoT to collect inventory data may not have any legal obligations with respect to that data. But, a company that manufactures IoT home devices probably collects vast amounts of personal data (names and protected health information, for instance), and is thus subject to various privacy laws. These privacy laws, GDPR in particular, can be burdensome and, if violated, may trigger large fines.
Additionally, companies should be aware of any contractual obligations that may classify data as "confidential information"—or otherwise restrict use of IoT data. By understanding each data type, and the obligations associated with that data, companies can create digital-management strategies that keep them in compliance with those contractual obligations.
Every digital-management strategy should consider IoT security concerns. IoT devices are notorious for security vulnerabilities—in 2017, nearly half of all companies using an IoT network had been the victim of a security breach. Furthermore, it is estimated that through 2022, half of all IoT security budgets will go toward fault remediation.
Moreover, not all data is "good" data. Like most instruments, IoT sensors may not always provide accurate readings due to improper calibration or a device malfunction. Using "bad" data can lead to faulty conclusions and negative consequences. This is especially true in the context of AI.
Recommendations for Contracting
Developing a complete IoT solution can be a difficult endeavor that requires multiple vendors to provide an array of products and services, such as sensors, data storage, data networks, data ingestion, data cleansing and aggregation, and data analytics. The various products are unlikely to be designed to work together, and each of the multiple vendors would prefer to bear as little as possible of the risk of the overall solution while having as much access to the data as possible. This arrangement leads to various potential failure points throughout the IoT system and makes for a complex contracting scheme. But there are contractual approaches and provisions that can mitigate risk.
Conducting due diligence on potential IoT providers is a good start for contracting—in fact, the FTC recommends it. Due diligence should include legal and security inquiries, in addition to technical, operational and other forms of diligence. By conducting diligence, companies can ensure that each vendor's product or service offering can be integrated into the larger IoT solution. Companies can also identify "red flags" that disqualify a vendor from the selection process (e.g., poor financial health, legal concerns or substandard security measures).
Companies should also strive for detailed security and audit provisions in vendor contracts. Notably, the FTC has brought enforcement actions against companies for failure to reasonably oversee the security practices of their service providers—in part due to a lack of security-related contract provisions. Recommended contract provisions will vary depending on each IoT solution, but could include requirements such as compliance with privacy laws and industry standards, audit rights, penetration testing, vulnerability scans, restrictions on system access and data breach notification.
Vendor contracts should assign rights to IoT data. Companies, in particular, should also carefully consider whether it is appropriate to restrict usage rights for vendors that have access to company data. As noted above, there may be numerous vendors that have access to the data as it flows from the device into networks and eventually to the company. Many of those vendors may be able to monetize the data in ways that do not adversely affect the company. For example, vendors may want to use a company's IoT data in order to create industry reports and form insights into their business, which may be acceptable so long as the vendor aggregates and anonymizes the data. But even then, if analyzed closely, that information may reveal a company's identity or provide business advantages to a competitor.
Currency and maintenance of the IoT devices are also major contracting issues. Vendors often update their devices and service offerings. This can cause operational problems for an IoT solution that relies on several different vendors' devices and services. For example, if a vendor updates its IoT sensors, the integrated data-analysis software may require corresponding updates to ensure proper operation of the system, and if the updates require physical access to the IoT devices, updates could be costly to implement. To address this risk, vendor contracts should clearly define maintenance requirements and ensure that IoT systems will be supported over time. It may also be useful to build in substantial notice periods before vendors can make changes that would reduce functionality of the system.
This is by no means an exhaustive list of issues that should be addressed in IoT contracts. Instead, we are intending to provide a context that companies can use to develop their own IoT contracting principles. The common theme is that IoT solutions are often complex and require multiple vendors. Digital management strategies should account for this complexity in order to increase the likelihood of successful IoT initiatives.
Linda Rhodes is a partner in Mayer Brown's Washington, D.C., office and a member of the Technology Transactions practice. Linda has extensive experience representing clients in hundreds of matters in technology transactions, including digital transformation (such as cloud computing, automation and AI), data analytics and rights, software development and licensing, and business process and IT outsourcing. Linda has been ranked as a leading lawyer in Chambers & Partners USA: Technology & Outsourcing, Washington, DC (2010-2019). Charles King III is an associate in Mayer Brown's Technology Transactions practice in the Chicago office. Charles focuses his practice on business process outsourcing, data center leasing, and technology transactions related to cloud services and software licensing.