October is cybersecurity awareness month. So where are we in Canada on IoT security?
The answer is that legal requirements are lagging technological developments. Although there have been some regulatory activity, it is slow-moving and consumers still do not have a direct path to seek remedies when IoT device security fails.
A major focus for regulators in Canada and the United States has been medical devices. For example, Health Canada recently issued a notice that it will engage in a consultation this fall on cybersecurity and medical devices, which will result in Health Canada guidance to developers and manufacturers. Although Health Canada recognizes the responsibilities of users, Health Canada has made it clear that it intends to hold manufacturers to account for the security of devices throughout the lifecycle of those devices.
Medical device cybersecurity is a shared responsibility among many parties including the manufacturer, regulator, user, and network administrator. However, manufacturers are responsible for continuously monitoring, assessing, and mitigating potential cybersecurity risks associated with their products throughout their life-cycle.
Similarly, the U.S. Food & Drug Administration has issued cybersecurity guidance. The FDA has stated that manufacturers must identify hazards with respect to their devices, including cybersecurity risks and must put in place mitigations.
Manufacturers are responsible for remaining vigilant about identifying risks and hazards associated with their medical devices, including risks related to cybersecurity. They are responsible for putting appropriate mitigations in place to address patient safety risks and ensure proper device performance.
Vehicles have been another area of focus for regulators. Although Transport Canada has not addressed cybersecurity in automobiles in-depth, a recent Senate Report has made many recommendations, which I discussed in a previous blog post. In the United States, the National Highway Transpiration Safety Administration has gone even further and suggested that automobile manufacturers should consider real-time intrusion detection measures and real-time response methods.
Misrepesentation of security
Perhaps the most significant regulatory activity to date was the U.S. Federal Trade Commission complaint against TRENDnet, which marketed its SecurView cameras for home security and baby monitoring. The FTC alleged that TRENDnet misrepresented the security of its cameras because the cameras had faulty software that left them open to hacking. Note, however, that the issue was not so much the faulty security but the company’s misrepresentation of the security of the product.
As part of the settlement with the FTC, TRENDnet was required to obtain third-party assessments of its security programs every two years for 20 years. In addition, TRENDnet was required notify customers about the security issues with the cameras and customers with free technical support for the next two years to assist them in updating or uninstalling their cameras.
There are limited consumer remedies in Canada
The TRENDnet case may be instructive for Canadian plaintiffs seeking to pursue manufacturers and suppliers for IoT devices with defective cybersecurity. For example, the Ontario Consumer Protection Act, 2002, contains several provisions that plaintiffs can use to pursue cybersecurity complaints. These provisions could be pursued alongside traditional tort remedies for product liability.
Similar to the provisions of the Federal Trade Act under which the FTC pursued TrendNet, the Ontario Consumer Protection Act prohibits false, misleading or deceptive representations. In addition, section 9 implies a mandatory warranty that any services provided to a consumer are of a reasonably acceptable quality and an implied condition that the good are of merchantable quality.
However, the problem with these provisions for consumers is that the remedies are relatively limited. First, they do not apply broadly to the supply chain. Instead, they apply to the supplier of the good (e.g. the retailer). Second, the remedies for misrepresentations have a one-year limitation period that begins from the time that the consumer entered into the agreement (rather than from when the consumer discovered the misrepresentation).
The Canada Consumer Product Safety Act (CCPSA) partially fills the void by prohibiting the manufacture, import, advertisement and sale of a consumer product that is a danger to human health or safety. Violations can be punished with maximum administrative monetary penalties of up to $25,000 per violation, which is a relative pittance when one considers that the issue is human health and safety. Further, the CCPSA only addresses dangers to human health or safety, which is a very high bar. In the case of IoT, it will only apply to those classes of products where it may be reasonably expected that the hazard could cause the injury or death of an individual or an adverse effect on the individual’s health. Since 2015, only six notices of violation have been issued under the CCPSA and none have had to do with the security of consumer products. There is no private right of action.
Meanwhile, California has enacted legislation requiring manufactures to include “reasonable security features” on any device that is “capable of connecting to the Internet”. Senate Bill 327 will go into effect on January 1, 2020. However, SB 327 does not contain any private right of action.
So, until there are stronger consumer remedies, consumers will have to rely on slow-moving governments to ensure IoT consumer safety or the willingness of judges in consumer class actions to develop tort-law principles to protect consumers’ reasonable expectations that IoT devices will be secure.