The Internet of Things (“IoT”) is driving business transformation. Its impressive data-collection abilities allow companies to harvest huge amounts of information in real time. When paired with sophisticated data analytics tools, such as artificial intelligence (“AI”), businesses can use this data to derive insights into their business operations—creating new revenue opportunities and increasing efficiency. Global IoT spending is expected to reach $745 billion in 2019 and Gartner, the consulting firm, predicts that by 2021 over 25 billion IoT devices will be in use—up from an estimated 14.2 billion in 2019.1
Although IoT introduces new opportunities, implementation of IoT systems comes with challenges and risks. IoT devices operate in highly connected networks. The greater the connectivity of solutions, the more opportunities exist for points of failure in operation. Further, a vulnerability in one node of the network can have broad implications throughout the system. Bad actors that exploit deficient IoT security measures can cause numerous harms, including business delays, breaches of security and privacy, and even physical injury.
Another challenge presented by IoT is making effective use of the data. Even when collected in a structured format, companies use less than 50 percent of their data in decision-making, and when data is collected in an unstructured format, that number falls below 1 percent.2 With these factors in mind, it is not surprising that only 26 percent of companies believe their IoT initiatives have been successful.3 So, how do companies utilize IoT solutions while avoiding the pitfalls associated with such technology?
Companies that implement digital management strategies up front, beginning with “by design” solutions, can mitigate risk and optimize IoT capabilities. Having a digital management strategy that gives consideration to safety, security, privacy and data management up front will enable businesses to manage risk in order to turn vast amounts of data into actionable intelligence. “Smart” businesses will further understand that their digital management strategy cannot be static, in light of changing business requirements, growing threats, evolving regulatory landscapes and the expansion of a supplier base with varied contracting approaches and risk tolerances.
Current Legal Landscape
IoT lawsuits have largely focused on (i) deficient product security and (ii) misuse of consumer data.4 Plaintiffs filing these claims have alleged that IoT security vulnerabilities and data breaches have subjected them to a risk of future harm, although the bad actors have not actually exploited the security vulnerabilities or misused the information exposed to the data breach. In the absence of actual harm, plaintiffs have struggled to assert the Article III standing necessary in order to pursue these claims. The Federal Trade Commission (“FTC”) has also shown its willingness to bring enforcement actions against IoT manufacturers that engage in unfair or deceptive acts affecting commerce but has similarly struggled in such cases to demonstrate actual harm.5 But it is only a matter of time before a successful cyberattack occurs—presenting “fundamentally different” high-stakes IoT litigation.6
Federal IoT legislation has been proposed in the United States, but the US federal government has yet to pass any of it into law. The Internet of Things Cybersecurity Improvement Act was introduced in the US Senate in 2017. That Act would require vendors selling IoT devices to the US government to enter into certain security-centered contractual provisions.7 More recently, the House of Representatives passed the SMART IoT Act, which would task the Department of Commerce with conducting a comprehensive study of the IoT industry.8
Although no US federal legislation has become law, California recently became the first state in the United States to pass legislation directed at IoT—focusing on device security.9 The California law will take effect January 1, 2020, and will require manufacturers of connected devices to equip such devices with a “reasonable security feature.”10
Similarly, the European Parliament recently approved the EU Cybersecurity Act, which is a cybersecurity regulation aimed at establishing certification schemes for ICT products, services and processes sold in the European Union.11 Such certification schemes applied to IoT devices would make such devices safer and more secure.
1 Gartner, Gartner Identifies Top 10 Strategic IoT Technologies and Trends (Nov. 7, 2018), available at https://www.gartner.com/en/newsroom/press-releases/2018-11-07-gartner-identifies-top-10-strategic-iot-technologies-and-trends; IDC, IDC Forecasts Worldwide Spending on the Internet of Things to Reach $745 Billion in 2019, Led by the Manufacturing, Consumer, Transportation, and Utilities Sectors (Jan. 3, 2019) available at https://www.idc.com/getdoc.jsp?containerId=prUS44596319.
2 Tim Stack, Internet of Things (IoT) Data Continues to Explode Exponentially. Who Is Using That Data and How?, Cisco (Feb. 5, 2018), available at
https://blogs.cisco.com/datacenter/internet-of-things-iot-data-continues-to-explode-exponentially-who-is-using-that-data-and-how. “Unstructured data does not have a specific format. It can come in any size, shape, or form, which makes it incredibly difficult to manage and analyze. Structured data is limited in the sense that it can only contain certain types and amounts of information in its defined fields, but unstructured data has no such limitations. While structured data is easy to search using basic algorithms, unstructured data doesn’t follow any predictable pattern that a simple algorithm can process. Internet of Things (IoT) devices are also becoming a major source of unstructured data.” Tom Banta, Finding a Needle in a Haystack: How to Manage Unstructured Data, vXchange (Aug. 9, 2019), available at
5 In 2017, the FTC brought an enforcement action against D-Link Corporation alleging that the company failed to take reasonable steps to secure its consumer routers and IP cameras but was ultimately unsuccessful due to its inability to demonstrate actual harm. Fed. Trade Comm'n v. D-Link Sys., Inc., No. 3:17-CV-00039-JD, 2017 WL 4150873 (N.D. Cal. Sept. 19, 2017). See also Federal Trade Commission, FTC Charges D-Link Put Consumers’ Privacy at Risk Due to the Inadequate Security of Its Computer Routers and Cameras, Federal Trade Commission Press Releases (Jan. 5, 2017), available at https://www.ftc.gov/news-events/press-releases/2017/01/ftc-charges-d-link-put-consumers-privacy-risk-due-inadequate.
7 Interrnet of Things (IoT) Cybersecurity Improvement Act of 2017, S. 1691, 115th Cong. § 3 (2017), available at https://www.congress.gov/bill/115th-congress/senate-bill/1691/text.
8 SMART IoT Act, H.R. 6032 115th Cong. (2018), available at https://www.congress.gov/bill/115th-congress/house-bill/6032/text
9 S.B. 327, 2017-2018 Reg. Sess., (Cal. 2018), available at https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201720180SB327.
11 Michael Thaidigsmann, EU Cybersecurity Act clears final parliamentary hurdle (Mar. 13, 2019), available at https://inhouse-legal.eu/public-policy-regulations/eu-cybersecurity-act-passed/. ICT products are hardware and software elements of network and information systems.