It’s All Connected: Minimizing Litigation and Regulatory Risk on the
Internet of Things
27th Annual All Hands Meeting 2015
October 28-29, 2015
Santa Clara Convention Center
Cheryl Falvey and Greg Call Eve Saltman Crowell & Moring LLP GoPro
• Identify scope of cybersecurity threat
• Categorize compliance obligations
• Issue spot litigation risks
• Discuss in-house counsel role in process
Agenda
Each product raises different regulatory and litigation considerations
Each product raises different regulatory and litigation considerations
Cybersecurity risks
• Unauthorized access/misuse of personal Info
• Attacks on systems
• Creating risks to personal safety
• Theft/compromise of IP
Product Liability
Cyber-security
Privacy
• Identify and classify regulated data and systems to protect from internal and external breach
• Ensure proper governance of people and data including implementing controls, audits and monitoring
• Update privacy and cyber policies and procedures especially with an eye toward vendor access to systems
• Evaluate public facing statements on security and privacy
• Know reporting requirements and response process in the event of an accident -- data breach tool kit
Identify Compliance Obligations
Skin Allergens/Sensitizers
• Additives – PPD or p-Penylenediamine – Cobalt – Glyceryl thioglycolate
• Metals – Nickel
• Elastic Materials • Latex • Leather
– Chromium – Glutaraldehyde
In the Matter of TRENDnet, Inc.
• Corporation must monitor and proactively address security vulnerabilities from any source
“[F]ailure to implement a process to actively monitor security vulnerability reports from third-party researchers, academics or other members of the public.”
• Consent Order, FTC v. TRENDnet (2013)
FTC Expectations and Negligence
FTC Expectations and Negligence
• Corporation must identify vulnerabilities in the design, development and research process.
Identify “reasonably foreseeable, material risks, both internal and external, that could result in the respondent’s unauthorized collection, use, or disclosure of covered information, and assessment of the sufficiency of any safeguards in place to control these risks . . . . In product design, development and research.”
• FTC Order, Snapchat, Inc., 2014
FTC Enforcement
TRENDnet Settlement Terms
• Company barred from misrepresenting its security or the confidentiality of data transmitted by its cameras to consumers
• TRENDnet must designate an employee responsible for security
• TRENDnet must engage with service providers to maintain security of their devices
• Company must create and implement a comprehensive data security program and submit to third-party bi-annual audits
File No. 122 3090, in the Federal Trade Commission
NHTSA Cybersecurity
• Security – Capability of system to resist cyber attacks
• Risks – Potential gaps in the system that can be compromised by
cyber attacks
• Performance – Effectiveness of security systems
• Unintended consequences – Impact of cybersecurity on performance of the system
• Certification – Method to assure that critical vehicle subsystems such as
communications are secure
Cyber Compliance Comparison NIST FTC IoT FDA/Medical Devices
Product Safety (NHTSA)
Identify Security by Design Address cybersecurity during design
Identify owner of security design
Protect “Defense-in-depth” layers of security to address risk
Secure based on risk level
Establish protocols to track “levels of security” in IT and product design across all relevant groups
Detect Monitor connected devices through lifecycle
Implement features within devices to detect breach and maintain functionality
Monitor post-sale incident data
Cyber Compliance Comparison (cont.) NIST FTC IoT FDA/Medical
Devices Product Safety (NHTSA)
Respond Push out security patches immediately upon learning of vulnerabilities
Establish methods for retention and recovery of compromised data
Include identification, elevation and resolution of security issues as part of performance
Recover Provide patches to cover known risks
Determine the level of risk and mitigation strategies/assess residual risk and risk acceptance
Continuous improvement loop in product design
Hypothetical Case
Identify the Litigation and Enforcement Risks
• Enforcement Actions
– Privacy = FTC/State AGs
– Security Around Information = FTC/State Ags
– Security Affecting Safety =NHTSA, FDA, CPSC
• Class Action Litigation
• Individual Claims
• Patent and Trade Secrets Disputes
• Ford reported a “things gone wrong” rate of 500 for every 1000 vehicles;
• consumers experienced “freeze ups,” “crashing,” “black outs,” “nonresponsiveness,” “breakdowns” of the rearview camera and defroster, “inaccurate directions on the navigation system,” and
• technical service bulletins and software updates addressed these problems.
In re MyFord Touch
Emerging Litigation Issues • Typical Claims
– Negligence
– Breach of Contract
– Unfair Trade Practices
– Invasion of Privacy
– Design or Manufacturing Defect
– Breach of Warranty
– State Statutes
• Threshold issues
– Standing to sue (federal court)
– Actual injury or harm (common law claims) 20
Emerging Litigation Issues
• Class Certification Issues
– Rare (dismissal or settlement)
– Claims often turn on individualized issues or causation and damages
– Thus common questions of law and facts do not predominate over questions affecting individual members
• Damages
– Aggregate exposure to nominal damages
– Due process violation?
21
Typical Security Breach Settlements
• Non-monetary relief (e.g., credit monitoring)
• Monetary payments to privacy non-profits (e.g., Privacy Rights Clearinghouse)
• Consent decree requiring security improvements
• Attorneys’ fees to plaintiffs’ counsel
• Capped individual payments to plaintiffs who can prove causation
22
• Misrepresentations and omissions and false advertising
– Reliance
• Reasonable expectation of privacy and consents
• Implied warranties and responsible parties
• Security “vulnerabilities” and standing
Defense Issues
• Monitoring contract language
– Responsibilities, indemnities, warnings
• Building and directing compliance teams to meet the standard of care
• Comparing terms and conditions as well as consents to actual business practices
• Meeting reporting requirements
• Reviewing advertising from product packaging and labels to social media presence
In-House Counsel Role
Questions?
Contact Information
Greg Call Partner Crowell & Moring LLP 415.365.7388 [email protected]
Cheri Falvey Partner Crowell & Moring LLP 202.624.2675 [email protected]
Eve Saltman Deputy General Counsel GoPro 650.332.7600 [email protected]