Legal BlackBook

TM

JULY 2018
INTERVIEW: TODD BENOFF / ALSTON & BIRD

COULD A CYBERATTACK LEAD TO ABSOLUTE LIABILITY?
A litigator wonders whether hacking, driverless cars and product liability laws could transport us there.
Todd Benoff is immersed in what has to be one of the more challenging areas of cybersecurity litigation. This is where science fiction lands in court. He co-leads Alston & Bird’s Connected and Autonomous Vehicles Team and is focused on the cybersecurity issues that are unique to those vehicles. He concentrates his trial practice on high-exposure cases in the areas of product liability, class actions, toxic and mass torts, and business litigation. And one of the looming questions that has his attention is how product liability laws could create absolute liability if a hack occurs.

CyberInsecurity: Every day, it seems, we read about the vulnerabilities of the internet of things (IoT). The more devices, the more complexity, the more mischief that hackers can create. But this isn’t entirely new, is it?       
Todd Benoff: In a sense, it isn’t. Throughout history, people have been building locks and picking them. The difference now is that we are connecting devices that have never really been thought of as networked or even computerized. Just think of a “smart” home. You have everything from the lights to the refrigerator to the speakers on the same network. That means lots of new nontraditional attack vectors.

CI: What are the big vulnerabilities—in terms of products and dangers—that you see out there now?
TB: Because I’m a product liability and class action lawyer, I tend to focus on those legal risks. Cars and medical devices that connect to the internet and communicate with other products—also called “connected” cars and medical devices—worry me the most. The product liability laws that are currently on the books are not a good fit for these new technologies. If a connected car or medical device is hacked, the manufacturer could be facing absolute liability. Yet the laws that would lead to that result were never designed to create absolute liability.

CI: What’s the potential difference from the cybersecurity litigation we’ve seen up until now?
TB: Most of the breaches to date have targeted personal information such as credit card numbers. The stores, restaurants and other targets have been protected from certain types of claims by the economic loss doctrine. Because breaches to date have not harmed people or damaged property, tort theories like strict product liability have not come into play. But that will all change when a connected car is hacked and crashes, or a pacemaker is breached and turned off. In those cases, strict liability could lead to absolute liability.
  Here’s how it would work. When the manufacturer is sued under a strict liability theory, the plaintiff will argue that the design of the product was defective, because there was a vulnerability that the hacker exploited. Think about how this will play out under the risk-benefit theory. The plaintiff will bring in an expert who says that it would cost nothing to write a particular line of code differently, or to roll out a patch before the accident, instead of after. At that point, the manufacturer would have to show that the benefits of its code design outweigh the risks. Which would be very hard to do, because that system has just been hacked. And that’s the problem—every connected system can be hacked, and every hack can be Monday-morning quarterbacked. That’s what I mean by absolute liability: Manufacturers would be put in an impossible position. And that’s the scenario that worries me. It puts manufacturers in a position that the law never intended, and that companies may not be able to afford. So we could see companies moving out of these areas. Atlas might shrug. That’s a problem, because the products we’re talking about are all intended to save lives.

CI: What are in-house lawyers supposed to do? Do they need to constantly assess their IoT inventory and legal exposure?
TB: These issues will present new and extremely difficult challenges for in-house counsel. They’re being asked to assess and scope risks that have never been seen before. They will have to build these risk models without any sort of a blueprint. Which is why partnering with outside counsel will be critical—no one person has all of the expertise necessary. There just aren’t enough hours in the day to be an expert in data privacy and cybersecurity; and to also be a seasoned product liability trial lawyer; and to also have years of experience handling high-exposure class actions; and to also have spent decades prosecuting patents, and later defending them in IP litigation; and to also have years of experience negotiating deals to license, sell, acquire and protect all of the technology assets that are key to connected products. And so on. New teams will have to be formed.

CI: Obviously, for medical device companies and firms that are either manufacturing or planning to deploy driverless cars, risks are unavoidable. But what about other companies that are considering, say, driverless cars, not as a core business but as a money saver. How are they supposed to weigh the legal risks? What role should their general counsel be playing?
TB: This raises a number of interesting issues. If the autonomous vehicle is just used by company employees, workers’ compensation laws may shield the company from suit by an injured employee. On the other hand, if the company car hits a stranger on the street, the company could face liability, even though it did not design or manufacture the vehicle. Which is where supply agreements will come into play. The battle over indemnity clauses will become key at every link in the supply chain for autonomous vehicles.

CI: For the companies that are heavily involved in this area, is there legislation, or are there regulations that they are lobbying for, to shield them from liability?
TB: Not yet. I don’t think many people are focused on this issue at this point. That’s one of the things I’m trying to change.

CI: What about cyber insurance? Are insurance companies writing policies that afford companies protection from product liability lawsuits of this kind?
TB: It will be very interesting to see how the insurance industry evolves to deal with cyber threats. Insurance is a data-driven industry, and right now there is not a lot of data on the sorts of risks we are discussing. That said, I would not be surprised to see new products develop for some of the exploits we are currently seeing, such as ransomware and distributed denial-of-service attacks.

CI: When you’re dealing with risks that could lead to death, does that require a different approach in order to mitigate the potential liability?
TB: It does. Using connected cars as an example, manufacturers are developing multilayered approaches to cybersecurity. But as any cybersecurity professional will tell you, any connected system can be breached by someone with enough time, talent and money. So the idea that anyone will ever build a connected car that can’t be hacked—or spoofed—is a bit of a fiction. Which is yet another problem with the strict product liability laws currently on the books. A manufacturer can have best-in-class cybersecurity, and a jury can still decide that that system is “defective.” Which will affect more than just that one car. The breach of one vehicle will likely lead to a class action that covers every model and year of vehicle that arguably has similar code.

CI: What are some of the other big legal issues that in-house lawyers should focus on in this area?
TB: Right now, most people are focused on the evolution of the regulations that will impact their business. And that is clearly critical. But there are other issues, like the ones we’ve already discussed, that also need to be examined. Basically, it boils down to this: Many of the last century’s laws are not a good fit for the new millennium.
Todd Benoff
In-house counsel are being asked to assess risks that have never been seen before.