When an IoT Network Outage Causes a Loss, Who Pays?
In the age of the Internet of Things (IoT), the number of potentially vulnerable end points has proliferated, and distributed denial of service (DDoS) network outages are becoming larger in size and more heavily amplified. When a business experiences loss from this kind of attack, they must get back on their feet — but how do they determine who is liable?
Network Outage? Start at the Beginning
The first step in the liability chain is to pinpoint whoever launched the attack that shut down the network, Wireless Week suggests. If that task becomes insurmountable, the next step is to identify the manufacturer of the hardware used in the attack. Classic legal strategy involves showing negligence on the manufacturer’s part and asserting that they breached a duty of care owed to the victims. Businesses can claim that the damages incurred from the breach were reasonably foreseeable when the design was made. However, the manufacturer will likely get a pass from this charge, as most judges won’t assign blame for simply designing internet-accessible hardware.
Looking Toward the Operator
Liability could also potentially lie with the network service provider. In Schneier on Security, Bruce Schneier makes the point that backbone providers “don’t feel the pain when the attacks occur, and they have no way of billing for the service when they provide it.”
While Scheiner believes a DDoS attack might be best dealt with at a high network level, there’s no economic incentive for a network service provider to take on the protector role. In such a case, companies might resort to tort law, which addresses liability not covered by a contract. The network operator must be able to show that they have performed reasonable steps to prevent a service disruption and that they’ve made a good-faith effort to ensure continued service and therefore didn’t commit an intentional tort.
The operator must then identify attacks that could be expected from any IoT network they run and what they do to mitigate them. In this case, courts would likely employ a test of reasonableness. They’d look at the reasonableness of both the analysis performed on the network and the mitigations that the service provider put in place.
WirelessWeek recommends that operators game-play potential attacks and their consequences, defining target cases of the incidents that they may face.
The operator’s legal and compliance teams should also be part of an IoT network project from the beginning of the design process continuing through launch and support, in order to make sure any issues that arise along the way regarding liability are dealt with correctly.
As IoT grows, managing enterprise networks has become an increasingly complex proposition. When an outage strikes, it won’t be long before people start pointing fingers — understanding who’s responsible for what before an incident occurs can help the business get back to normal operations more quickly.