An Ottawa lawyer says the makers and sellers of internet-abled devices are not governed by any particular provincial or federal legislation to ensure those gadgets are secure.
An Ottawa lawyer says the makers and sellers of internet-abled devices are not governed by any particular provincial or federal legislation to ensure those gadgets are secure.
Shaun Brown, a partner with nNovation LLP, who practises privacy and cybersecurity law, says there is virtually no federal or provincial legislation that provides legal guidance on the security of a growing list of internet-abled devices that are being developed, from connected cars to fitness trackers.
Product liability laws allow lawsuits if an unsafe product leads to injury, says Brown.
He says he sees potential for those laws to be adapted to connected devices that are not secure and lead to harm as a result. He says the challenge, however, is having to wait for case law to develop.
“The problem with that is you’re also waiting for something bad to happen and then hoping there is litigation and then case law that comes out of that,” he says. “What we see in most cases with a lot of litigation is it often settles and we don’t get any case law, especially with class actions.”
There’s no question the number of connected devices is quickly growing. There’s even an internet-enabled pregnancy test, observes Kirsten Thompson, a partner at McCarthy Tétrault LLP, who leads the firm’s national cybersecurity, privacy and data management group.
Thompson says that, in her own practice, she increasingly sees that “the vector by which a company gets in trouble or gets hacked is through a connected device.
“Often, they have very rigorous protections around the central system, but it’s these peripheral systems, everything that’s tapped into it [that are not secure],” says Thompson. “It doesn’t have to be that way.”
For example, she points to a recent example of a North American casino that was targeted by hackers through an internet-connected fish tank.
“So, whose responsibility is it? Is it the people or the companies that are bringing on the internet-connected devices, is it the people making the internet-connected devices [or] is it the consumer who should be aware of these things?” she asks.
While there is robust private-sector privacy legislation that applies to companies when they collect and disclose personal information, Brown says he sees a large gap when it comes to protecting information from cyberattacks. So, unless the companies are collecting personal information in the course of commercial activity, he says, privacy laws don’t apply.
The result, Brown says, is that there is arguably no legal obligation for companies to build, sell or distribute secure products. There are also no ongoing obligations for companies to make sure that the security of these products is maintained over time. Part of the issue, says Brown, is that the regulations are complex and complicated by the division of powers between the federal and provincial governments.
He points to privacy legislation as an example. In the absence of privacy legislation in all provinces, the federal government enacted its own legislation to fill the gaps and ensure there is something in place across the country.
Provincial consumer protection legislation and sale of goods legislation that imposes statutory and implied warranties on products and services typically applies to commercial goods.
However, Brown says, whether or not the legislation applies to the security of these newer products hasn’t yet been tested.
Product liability law is largely rooted in contracts and negligence, but it includes contracts and warranties, says Nicole Henderson, whose practice with Blake Cassels & Graydon LLP focuses on class action, product liability and privacy/cybersecurity. It imposes a duty of care upon manufacturers to avoid creating unnecessary risk in putting out a product and to warn of reasonably foreseeable risk that it knows about, she says.
The interesting aspect, adds Henderson, is that there’s little likelihood that when product liability principles were first developed that lawmakers would have foreseen them being used in this way.
She points to the almostcentury-old seminal product liability case Donoghue v. Stevenson, which was a United Kingdom House of Lords decision that set out the modern concept of negligence and the obligation of duty of care. At issue was a snail found in a bottle of ginger beer.
“To some extent, we find ourselves trying to consider how those same principles would apply to a smart watch, to a smart thermostat, to anything else,” says Henderson.
Traditionally, product liability cases involve some sort of physical injury or a product that poses some risk of damage to person or property. But in cybersecurity cases, a breach or unintended disclosure doesn’t necessarily result in physical damage or injury, she says.
Instead, the loss is usually economic, which in typical product liability tort cases is not recoverable unless the product is actually dangerous and poses physical risk or injury.
“I think what you’re really seeing a lot in cybersecurity cases is really an allegation not that the plaintiff has actually been injured but that somehow they’re at some risk,” she says.
The 2012 Ontario Court of Appeal case Jones v. Tsige is an example of a relatively new development. It recognized a new cause of action in privacy tort: intrusion upon seclusion.
“The tort that was recognized in that case has since gone on to be relied upon in a variety of circumstances that I don’t necessarily think the court of appeal would have necessarily contemplated when they decided Jones and Tsige,” says Henderson.
“One of the areas where we are seeing intrusion upon seclusion and other privacy torts relied on quite a bit is in privacy class action. And I think there’s been an uptick in that area and I suspect it’s a trend that will continue in the near future.”
From a business perspective, a contract is what will provide protections, says Thompson. Contracts allow them to build in protections and indemnifications. But for an individual, all that’s available at the moment is to read the waivers and to exercise the option to pass on the purchase of any products that they feel might make them vulnerable to cyberattack. Brown believes it’s an issue that should be examined by policymakers.
“It really ties in to other emerging issues around the use of artificial intelligence and machine learning and driverless vehicles,” he says.