Internet of Things: Understanding the Legal Framework
By Mark Radcliffe, Partner, DLA Piper
The Internet of Things (IoT) presents one of the most sweeping changes in IT in the past 20 years. Consulting firm McKinsey described this opportunity succinctly in its recent report (The Internet of Things: Mapping the Value Beyond the Hype): “Our central finding is that the hype may actually understate the full potential of the Internet of Things.” This conclusion mirrors those of Accenture in its report for the World Economic Forum (Driving Unconventional Growth through the Industrial Internet of Things), which described the Industrial IoT as a fundamental change to business that brings “unprecedented opportunities, along with new risks, to business and society.” IoT will provide the opportunities for operational efficiencies, particularly in making more effective use of equipment, as well as new business models such as those based on “outcomes” for products and service or pay per use.
Just as IoT brings new business opportunities, it raises new legal issues. For example, if a “connected car” is in an accident while in autonomous mode, who is responsible: the developer of the navigation software, the car manufacturer that installed navigational software, the mapmaker whose map potentially was incorrect, or the user? The answers to these issues are open. IoT will also greatly increase the amount and value of data.
IoT raises new legal issue—some of which will be unique to certain industries, such as healthcare. But certain legal issues are likely to be important across all IoT markets: privacy, cyber security, data use and software licensing.
Many countries, including those in Europe, Asia- Pacific and Latin America, have privacy laws which require prior consent to the collection, use and sharing of personal information. However, it is not always clear how such consent would be obtained in many IoT situations from connected cars to wearable devices. In the United States, there is no comprehensive data privacy regime governing the collection and sharing of personal information. However, the Federal Trade Commission has published guidance on the application of privacy principles to IoT.
Cybersecurity is one of the most important legal issues in the IoT. The recent hacking of a car (including turning on the wind shield wipers and slowing the vehicle) organized by Wired magazine graphically demonstrated these risks. The consequences could be even more serious as IoT technology is implemented to control infrastructure systems such as the power grid: a successful hacking of the power grid could cause damages in the hundreds of millions of dollars. This problem is compounded by two factors: many of the companies entering the IoT market are not familiar with cyber security and most IoT systems,
By their nature, combine components from a wide variety of companies and the combined product may create additional vulnerabilities. Yet, the legal obligations to provide cyber security are still unclear.
The consequences could be even more serious as IoT technology is implemented to control infrastructure systems such as the power grid: a successful hacking of the power grid could cause damages in the hundreds of millions of dollars. This problem is compounded by three factors:
1. Legacy system controls (referred to as SCADA controls), such as those for train switches, power plants and energy grids, were designed with only the most basic networking functions and almost no security.
2. Many of the companies entering the IoT market are not familiar with cyber security and have built their IoT controls along the supervisory control and data acquisition (SCADA_ model, which is not so secure.
3. Most IoT systems, by their nature, combine components from a wide variety of companies and the combined product may create additional vulnerabilities. Yet the legal obligations to provide cyber security are still unclear. Among the suppliers developing IoT systems, these risks will probably be managed by contract.
“IoT will provide the opportunities for operational efficiencies, particularly in making more effective use of equipment, as well as new business models such as those based on “outcomes” for products and service or pay per use”
The use and analysis of data will be critical to capturing the value of IoT. However, the legal protection of “data” is uncertain. Generally “raw data” is not protectable by traditional legal theories of intellectual property such as copyright. Copyright will protect the “organized data” such as data in a database, but such protection is generally limited to the manner in which the data is organized (i.e. the “structure” of the data). If the raw data is organized in a different way, then copyright protection of the “structure” will not be violated.
The European Union has its own separate (non-copyright) protection for databases, but it is likely to be of limited use in this situation. The potential problems in the ownership and protection of data can be illustrated by data from a cardiac monitor where four parties may want to use (and own) the data: the manufacturer of the implant, by the physician, by the health insurer or by the patient. Given this uncertainty about the meaning of “ownership” of data and its protection, companies will need to focus on contract law to deal with these issues.
Software licensing will be critical to IoT because most of the critical functions of IoT systems will be implemented through software. Such software licenses will deal with traditional software license issues such as the scope of the license grant, the ability to sublicense, the liability for failure of performance and the liability for infringement of third party copyrights and patents. However, given the fact that the IoT is likely to be an aggregation of software from a variety of different vendors, the coordination of these license terms will become very important.
As McKinsey noted 40 percent of the value, and in some cases 60 percent of the value of IoT products will be based on interoperability. Free and open source software (FOSS) is the most natural solution to this potential problem. Several of the major FOSS foundations, such as the Eclipse Foundation and the Linux Foundation, are already sponsoring IoT software projects supported by multiple companies to deal with common problems in the IoT.
Given the breadth of opportunity, companies must consider IoT as an integral part of their strategy. Companies should:
• Monitor developments in IoT for your industry to try to identify potential applications and partners.
• Monitor the development of IoT platforms, which may apply in your industry. These platforms are likely to be based on FOSS and companies should consider joining one of the FOSS foundations, which is managing IoT projects to better understand the roadmap for such projects.
• Focus on the provisions for cyber security by your vendors and the flexibility to meet new threats.
IoT will cause fundamental changes across multiple industries and companies need to make implementation of IoT solutions are a critical part of their strategy.