0370 270 6000

already registered?

Please sign in with your existing account details.

need to register?

Register to access exclusive content, sign up to receive our updates and personalise your experience on brownejacobson.com.

Privacy statement - Terms and conditions

who is responsible for cybersecurity in the internet of things?

27 July 2013

According to a recent report two researchers managed to hack into the systems of new cars made by Fiat Chrysler and, through the cars’ entertainment systems, take control of various systems including the GPS and brakes.

In addition to being genuinely scary, this raises the question – as the ‘internet of things’ becomes reality - who is responsible for the cybersecurity of those ‘things’?

The question is important because there is a rapidly growing desire amongst a wide variety of companies to use internet connectivity as a feature in their products. The Fiat Crysler cars are an example of this trend along with refrigerators, blenders, televisions and aircraft.

What does the law say?

As often the case with new technology there’s little by way of legislation that covers this point. Of course the hacking itself is illegal - the Computer Misuse Act 1990 sees to that – but, in our joined up world of the ‘internet of things’, assuming the hacker is unknown - who is responsible for ensuring the security of real physical items? Should it be the manufacturer? The user? Or someone else?

Section 105A of the Communications Act 2003 imposes a legal obligation to take appropriate measures to prevent cybersecurity breach but only applies to telecommunications companies and ISPs. Similarly, at the European level the Cybersecurity Directive is currently being enacted and will bolster the legal obligations on companies regarding cybersecurity but again has telecommunications and ISPs as its main focus. The level of security for communication of messages over the internet, seems a little far removed from (for instance) the security of digital commands to the brakes or controls of a car. Can we really expect ISPs to be responsible for the hacking of physical items whilst in use?

What can users and manufacturers do in the meantime?

Between contracting parties – as discussed in a previous in house lawyers webinar, a company can allocate responsibility for a cyber-breach (provided it uses appropriate, explicit wording in the agreement). For consumer arrangements however - the court would need to consider whether any such clause was ‘fair’ in the circumstances.

In the meantime any companies involved in supplying products or services related to the internet of things should ensure they fully understand how their contracts apportion responsibility for a cyber-breach and those wishing to absolve themselves of such responsibility should make sure any contracts make this explicit.


training and events

22Jan

Broker Insight London office

Developed for brokers, this exclusive series of events will provide you with operational and practical insights from across the legal spectrum.

View event

29Jan

Claims club Exeter office

We are pleased to invite you to our first Claims Club of 2020 where we will be looking at a number of topical issues such as; risk proposition, environmental changes and harassment in the workplace.

View event

focus on...

Legal updates

FOIA and data protection: the difficult balancing exercise for public authorities when a request is made for third party personal data

The Freedom of Information Act 2000 (‘FOIA’) allows members of the public to request information from public bodies. As guidance issued by the Information Commissioner explains, the main principle behind FOIA is that people have a right to know about the activities of public authorities, unless there is a good reason for them not to.

View

Guides

FAQs for startups

Below are some of the questions we are regularly asked by startups, covering a range of topic areas.

View

Richard Nicholas provides a data protection update

As part of our regular updates for in-house lawyers, Richard takes a look at what has changed in data protection law over the last six months

View

Heat Networks - navigating the legal issues | Browne Jacobson LLP

Public and private bodies throughout the country are exploring their options for developing new networks and expanding existing networks, both with and without central government support.

View

The content on this page is provided for the purposes of general interest and information. It contains only brief summaries of aspects of the subject matter and does not provide comprehensive statements of the law. It does not constitute legal advice and does not provide a substitute for it.

mailing list sign up



Select which mailings you would like to receive from us.

Sign up