At the 2015 Advisen Casualty Insights Conference, Lisa Lang, Michael Hudzik, Michael O’Brien and Scott Godes discussed risks associated with the “Internet of Things” (IOT). The focus of their session was sensory devices that are communicating via the Internet.
IOT devices include wearables such as wristbands and watches, smart phones, and smart technology in cars, televisions, home HVAC systems and home security systems. It is estimated that 5 million devices are connected to the Internet today – a statistic that is expected to continue to grow exponentially in coming years. In fact, there were over 900 exhibitors with IOT devices at the Consumer Electronics Show this year.
A study by Hewlett Packard reported that 75% of IOT devices have privacy and security concerns. This includes everything from medical devices, such as pacemakers and insulin pumps, to cars that can now be hacked and taken control of.
There are both first- and third-party risks associated with IOT devices. The panel provided the following examples:
- Warehouses – IOT devices are used to track items in warehouses that are being used to fulfill orders and are being relocated within the warehouse. If the Internet goes down, productivity is lost. This is a business interruption risk.
- Disney Magic Bands – Disney allows guests to purchase a wrist band that knows who bought it. The band allows you to do things like make purchases, enter your hotel room and pay for food in their restaurants. There are first-party concerns if this system goes down and third-party concerns around how much information Disney has collected (i.e. credit card info, info about special food requirements, info about disabilities).
When implementing IOT devices for business, a team should research the potential impact on their casualty coverage. Is the exposure insurable?
Another question to consider is are there product liability implications associated with the IOT devices being used? This adds a layer of complexity. Can the device lead to personal injury or property damage? If so, litigation will involve a post-accident investigation as to whether the device failed. Another concern is if the device can be hacked. The panel cited an example of a German steel factory that suffered significant damage after attackers gained unauthorized access to computerized systems that help control its blast furnace. Due to these failures, one of the plant’s blast furnaces could not be shut down in a controlled manner, which resulted in massive damage to plant.
It’s getting to the point that, in the future, EVERY consumer electronics product could contain a IOT device. If so, is a hacked device a claim covered under product liability? What if the smart phone that controls all of the devices is hacked and is used to hack other devices? Where does the liability rest?
There are currently no standards established for the incorporation of IOT devices into products. Because of this, the panel predicts that there will be class action suits in this area. If a handful of devices fail, you could see large class action lawsuits against the manufacturer.
Many items still need to be determined, including:
- How do you evaluate bodily injury and property damage coverage with respect to IOT devices?
- Is this a peril covered by standard policies?
- Does cyber coverage include this?
- Is someone hacking into your device a covered peril?
- Will we see a resurgance of cyber policies that covers everything not specifically excluded?