I first met Brian Contos, CISO of Verodin, backstage in the speaker ready room at Black Hat in Las Vegas. As we waited to go on stage, we got to chatting and he invited me to join him on the Cybersecurity Effectiveness Podcast to talk about IoT as it relates to cybersecurity and lawsuits.
Although it hasn’t happened yet, it seems inevitable that a wave of lawsuits over faulty cybersecurity in IoT devices is just over the horizon.
Although the vulnerabilities in many IoT products have been widely recognized, there have been few lawsuits up until now. That’s going to change – the number, scope, and severity of hacks will certainly increase. And because of the nature of IoT products and their uses, it’s only a matter of time before there are hacks with severe cyber-physical impacts, which will almost always lead to litigation if attribution is possible. Plus, in some cases – such as the Jeep hack class action scheduled for trial in 2019 – litigation may result from serious safety vulnerabilities in certain types of products even where no malicious hack has occurred.
Everyone in the IoT supply chain is at risk if they don’t meet the applicable “standard of care,” a legal term that varies somewhat depending on the particular legal claims at issue, but essentially means responsible cybersecurity design. Unfortunately, it appears that many entities in IoT supply chains have underestimated the risk posed by IoT cybersecurity litigation, and so have failed to adequately invest in cybersecurity design. They fail to recognize the severe risks associated with IoT cybersecurity litigation. If anything, IoT cybersecurity litigation poses greater risks than more traditional types of litigation because of the number of possible defendants and the complexity of their interrelationships; the exceptional costs of this type of litigation; and the uncertainty caused by the fact that outcomes may depend on juries of laypeople, with no cybersecurity expertise, making decisions about what the acceptable level of cybersecurity is in particular products.
Properly factoring litigation costs and risks into ROI assessments should lead IoT companies to include significantly improved cybersecurity in their devices. Anyone in the IoT supply chain who fails to do so proceeds at their own peril and should understand that a jury who finds that a company that acted irresponsibly is likely to impose liability in amounts far greater than the cost of just designing sound cybersecurity in the first place.
Check out the podcast to listen to our full conversation.