Manufacturer Liability for Distributed Denial of Service Attacks by a Botnet Internet of Things Army
Originally published in the ISSA Journal March 2017.
By Emily E. Duke, Esq. and Anthony S. Mendoza, Esq.
The October 21, 2016 Mirai virus DDoS attack on Dyn has spurred many discussions about vulnerabilities associated with the Internet of Things (IoT). The attack utilized Mirai malware that infected tens of millions of internet-connected devices like cameras, baby monitors, home routers, and gaming systems, which combined to form a powerful botnet army. With botnets and the strategic targeting internet infrastructure on the rise, it is only a matter of time before regulators or plaintiff’s lawyers knuckle down on IoT device makers. What liability exposure might IoT device makers face?
This paper explores three main concepts: (1) the legal framework in which IoT device manufacturers operate; (2) relevant regulatory enforcement actions against companies for unreasonable security and privacy practices; and (3) resulting changes that the IoT device developers should consider integrating into their development practices to avoid legal hot water.
The paper concludes that litigation related to vulnerabilities in IoT devices is only a matter of time. While regulations aimed at the IoT industry develop, plaintiff’s attorneys may try familiar legal doctrines from the product liability realm to pursue their claims now. IoT device manufacturers would be wise to become familiar with these legal theories, modify their products and business practices, and review their contract liability allocations in order to mitigate potential liability from the use of easily hijacked IoT devices as a weapon in the hacker’s arsenal.
To read more, download the entire article below or check out the ISSA's website at www.issa.org.