Who's Liable and How to Protect Yourself
These are important questions businesses should ask themselves before, during and after cybersecurity events
Cybersecurity is on the minds of every industry leader around the world, especially after a hack of the credit reporting agency Equifax potentially exposed the personal information of 143 million people. Days later, a reported breach of the U.S. Securities and Exchange Commission’s corporate financial filing system may have allowed hackers to trade on inside information.
The financial and privacy implications of cyberattacks are substantial. In just the global business community alone, Reuters reported cybercrime cost companies $445 billion in 2016. A 2015 survey by Duke University and CFO Magazine indicated that more than 80 percent of U.S. companies and 94 percent of medical institutions were victims of a breach.
With the internet of things [IoT] connecting millions of consumer products and devices to the web, the risks will continue to escalate for manufacturers, distributors and sellers alike.
- Automotive technologies are improving driver safety and vehicle performance, but open the door to hackers who could potentially take control of essential functions and features.
- U.S. Department of Homeland Security researchers are investigating if flaws in medical devices are being exploited by hackers to cause harm.
- Web-connected toys pose a risk for attacks on children’s privacy or that expose their personally identifiable information.
VIRTUAL VS. TRADITIONAL PRODUCT LIABILITY
Lines are still blurred over who is responsible for any impacts caused by cyberattacks. In traditional product liability cases, the manufacturer is typically liable for any harm resulting from a product defect. But when the potential or actual harm is caused by a product’s cybersecurity vulnerabilities, entities throughout the product lifecycle may be held liable.
For example, security software vendors create antivirus, encryption, firewall and spyware-removal products aimed at preventing cyberattacks and data breaches. If a breach occurs, is the vendor liable because the software failed to work as marketed? What if the vendor did not properly disclose the risks of cyberattacks to consumers from the start? Or, is the customer who bought and installed the software liable for faulty installation? Or perhaps, it’s the manufacturer of the computer on which the software was used? Because this area of law is underdeveloped, product manufacturers and their legal counsel are left with more questions than answers.
DO CONSUMERS HAVE STANDING TO SUE FOR CYBERSECURITY VULNERABILITIES?
There’s a big difference between actual harm caused by a cyber breach and a potential harm that could occur. To establish standing, an injury must be concrete, specific, actual or imminent, traceable to the challenged action, and compensated by a favorable ruling. But is showing that a product is defective because it is vulnerable to hacking in the future, enough to prove actual harm occurred today?
WILL DEFENSES TO TRADITIONAL PRODUCT LIABILITY CLAIMS STILL APPLY?
In the medical device and pharmaceuticals industries, manufacturers have been trying to avoid liability by transferring it to physicians. Since they serve as liaisons between the manufacturers and patients, physicians and other clinicians may be held liable for not fully warning patients of cyber-related risks. However, would a prescribing physician be able to adequately describe the risk of hackers accessing a patient’s insulin infusion pump if they did not have a strong understanding of the networks and technologies with which those devices interface and how those systems could be hacked? It is difficult for lawyers to navigate uncharted waters without drawing from previous legal precedents.
ACTING REASONABLY IN MANAGING CYBERSECURITY THREATS
While doctrines of product liability law related to cybersecurity remain uncertain, there are steps that product manufacturers can and should take to legally safeguard themselves from cyber risks.
Adherence to guidelines and best practices provided by government regulatory and industry groups is one way a company can demonstrate it acted reasonably in response to cybersecurity vulnerabilities. Under the U.S. SAFETY Act, for example, anti-terrorism products, software and other forms of technology can be protected from liability by having their offerings vetted by the U.S. Department of Homeland Security. This makes it more difficult to argue that the company did not act reasonably to prevent and manage cybersecurity threats.
Additionally, the Food and Drug Administration issued guidance to help companies manage cybersecurity vulnerabilities for products and devices that already have been marketed and distributed. The guidance includes recommendations for addressing cybersecurity throughout the product lifecycle. Notifying the FDA of actions taken would help demonstrate a company acted reasonably to thwart risks.
Cybersecurity threats will only increase and product manufacturers must prepare for cyberattacks just the same as any other business. This means having a risk assessment and mitigation plan in place, along with a strong cybersecurity counsel who stays current with emerging threats and how to eliminate them. It’s also essential for companies to train their employees to be hyper-vigilant in identifying and preventing cyber breaches. Without knowing what the legal landscape looks like in terms of cybersecurity and product liability, the best a company can do right now is to understand the risks and prepare accordingly.
Regina M. Rodriguez is partner in the Denver Office of Hogan Lovells. She is an experienced trial lawyer and has handled cases across a range of industries as lead trial counsel in complex litigation and tort cases, and has extensive experience representing drug and device manufacturers, including product liability, false claims act and commercial matters. In addition Rodriguez defends clients in government investigations. Before moving to private practice, she was an Assistant U.S. Attorney and Chief of the Civil Division in the District of Colorado, where she supervised and directed all active civil cases for the office.
Shelby Martin is a senior associate in the Denver office of Hogan Lovells. She is a litigator with the goal of solving problems so clients can get back to business. As a member of Denver's Litigation and Arbitration group, Martin devotes her practice to pharmaceutical and medical device litigation and advocacy. She is an accomplished trial lawyer with experience representing one of the nation's largest medical device manufacturers, as well as counseling clients in multidistrict and complex liability litigation.