The rapid growth of the Internet of Things (IoT), from sensors to predictive analytics to cloud connectivity, is causing seismic shifts in the way we understand risk. As people, products, assets, and services become increasingly interconnected, new physical and technological risks are coming to light. Now the IoT era is transforming how businesses consider liability, data and privacy, cybersecurity, and more. As companies quickly integrate IoT devices into products, services, and operations, risk managers at leading companies now find themselves wondering which questions to ask in order to sense the risks of the future. 

Imagine that you are a risk manager at a large trucking company, and you’ve recently made the shift to autonomous vehicles. While his truck is in autonomous mode, one of your drivers takes his hands off the wheel, although he is contractually obligated to keep them on. Your driver hits an oncoming vehicle that is driving safely. Whom will the court consider responsible: your driver, the manufacturer of the autonomous truck, or the maker of the autonomous system? 

We thought you might be interested in learning more about:

Or consider that you are a risk manager for a manufacturing company that has deployed robotics in your facilities to increase efficiency. A malicious third party hacks the integrated system that controls your machinery. The hacker causes a robotic arm working in a busy factory to swing erratically, and the employee responsible for monitoring the machinery does not enact proper safety protocols to shut it down. If another employee is injured by the machinery, how is liability allocated among the hacker, your company, and your negligent employee? What steps would you take to investigate this incident? 

It may take several years for regulators and the court system to determine the answers to these challenging questions. Nevertheless, risk managers can take action to uncover, measure, and respond to IoT risks today. To help risk managers navigate the new world of IoT risk, liability, and security, we partnered with the University of Chicago Law School to produce a manual that can help enhance your company’s safety and resilience. In collaboration with Professor Salen Churi and his Innovation Clinic, we’ve created an actionable checklist that can empower you to ask the right questions and navigate IoT risks with greater confidence. 

Below, find a short guide to major risk areas you need to consider, including selected questions for you to ask within each area. Click here to see our entire IoT risk checklist for risk managers.


Key Questions for Risk Managers to Explore Today For New IoT Risks

1) Tort liability: preventing physical harm and product liability 

  • Does our IoT device’s design create a risk for physical harm to people or property? If yes, can we design out such risk with reasonable modification? 
  • Is our IoT device updateable? If yes, how often is it updated to mitigate the risk of malicious attacks or involuntary release of personally identifiable information (PII)? Can these updates be made automatically? 
  • Have any other company’s IoT devices that are similar to ours been hacked? How are we using the knowledge of these breeches to secure our own IoT devices?
  • For each type of physical harm that could occur when a consumer reasonably uses our IoT device, what are our investigation procedures for that incident? What data will we collect?
  • What testing procedures, including cybersecurity testing, are completed before the IoT device goes to market? What ongoing testing procedures are conducted after release? 

2) Contract liability 

  • What duties have we incurred with regard to consumers through contracts? What duties have we incurred given the nature of our devices? Have we incurred any unintended duties?
  • Does our IoT device have any capabilities that out consumers do not desire or that might cause them to file a lawsuit?

3) IoT data in litigation

  • What consumer data collected by our IoT devices might be used in litigation? 
  • Do we have a process for finding and accessing data that might be discoverable?

4) Intellectual property (IP)

  • What IP does our IoT device or software involve?
  • What open-source IP do we use?
  • How do recent IP-related court decisions apply to our company and IoT devices?

5) Risk transfer and contracting between multiple parties 

  • Does our organization have expertise in all the types of licenses that we now use (e.g. software licenses as well as traditional supplier contracts)?
  • How do our contracts allocate ownership of data and software?
  • How do our contracts allocate risk between counterparties and insurers?

6) Privacy and data security 

  • What types of data are collected by and stored on consumers’ IoT devices? Is it PII? (Examples include precise geolocation, financial account numbers, health information, driving habits, consumer preferences, and daily routines and schedules.) What types of data are we inadvertently collecting?
  • Are consumers required to opt in in order for data to be collected on them?
  • What would happen if a malicious third party accessed that data?
  • What types of data are being collected from our employees and independent contractors and stored on our in-house IoT devices?  
  • Have the IoT devices or networks of any of our peer organizations been accessed by malicious third parties?
  • Is the content and implementation of our comprehensive security program fully documented in writing?
  • Are we aware of the data breach notification laws in the states in which we operate?

7) Cybersecurity

  • How attractive to hackers are the data that we collect from consumers’ IoT devices? Are the data directly attractive (e.g. financial accounts numbers) or indirectly attractive (e.g. the lack of home appliance use signaling that consumers are out of town)?
  • Per best industry practices, are our employees properly trained to prevent or recognize cybersecurity breaches?
  • Are we consulting independent experts, such as legal counsel and forensic experts, to determine if our cybersecurity practices are sufficient per current regulatory requirements and industry best practices?
  • What testing are we conducting on our cybersecurity practices?
  • After a breach in one of our IoT devices occurs, what is our incident response plan?

8) Contracting with third parties 

  • Are we working in collaboration with third parties? Do we have a good working relationship with these entities?
  • Are we sharing our consumers’ data with those third parties? What agreements have we made with those third parties concerning data sharing?
  • How do we know when third parties with whom our IoT devices are connected have been maliciously attacked?

9) Regulatory and jurisdictional considerations  

  • How are we keeping abreast of any new regulations or policy changes? Are we adhering to the current regulations? Keeping up to date with new regulations is especially important in heavily-regulated industries. 
  • What jurisdictions are progressive and willing to accept our innovation? In specific jurisdictions, has there been legislative or public pushback against similar IoT devices?
  • What requirements for IoT devices exist in each jurisdiction where we operate or plan to operate? 

10) Health risks

  • Are there any health risks associated with our IoT devices? If yes, have we given our consumers proper notice of those health risks?
  • Have we properly notified consumers of all safety features of our IoT device?

11) Business continuity 

  • Does our company’s business continuity plan include IoT considerations? Are the IoT-related considerations included in our plan sufficiently comprehensive? 
  • What IoT processes do we use to support business operations? (Examples include priority responses to clients and partners, labs, and data centers.)
  • Do the third-party companies that are connected to our IoT devices have business continuity plans? How much do we rely on the continuity of these companies?

The content contained herein is intended for general informational purposes only and does not constitute legal advice.  Companies and individuals should not solely rely on the information or suggestions provided in this article for the prevention or mitigation of the risks discussed herein.