Law Times

Law Times • may 14, 2018 Page 11 www.lawtimesnews.com Connected devices can lead to security risks BY MARG. BRUINEMAN For Law Times A n Ottawa lawyer says the makers and sellers of internet-abled de- vices are not governed by any particular provincial or federal legislation to ensure those gadgets are secure. Shaun Brown, a partner with nNovation LLP, who practises privacy and cybersecurity law, says there is virtually no fed- eral or provincial legislation that provides legal guidance on the security of a growing list of in- ternet-abled devices that are be- ing developed, from connected cars to fitness trackers. Product liability laws allow lawsuits if an unsafe product leads to injury, says Brown. He says he sees potential for those laws to be adapted to con- nected devices that are not se- cure and lead to harm as a result. He says the challenge, however, is having to wait for case law to develop. "The problem with that is you're also waiting for something bad to happen and then hoping there is litigation and then case law that comes out of that," he says. "What we see in most cases with a lot of litigation is it often settles and we don't get any case law, especially with class actions." There's no question the number of connected devices is quickly growing. There's even an internet-enabled pregnancy test, observes Kirsten Thompson, a partner at McCarthy Tétrault LLP, who leads the firm's na- tional cybersecurity, privacy and data management group. Thompson says that, in her own practice, she increasingly sees that "the vector by which a company gets in trouble or gets hacked is through a connected device. "Often, they have very rig- orous protections around the central system, but it's these peripheral systems, everything that's tapped into it [that are not secure]," says Thompson. "It doesn't have to be that way." For example, she points to a recent example of a North American casino that was tar- geted by hackers through an internet-connected fish tank. "So, whose responsibility is it? Is it the people or the com- panies that are bringing on the internet-connected devices, is it the people making the internet- connected devices [or] is it the consumer who should be aware of these things?" she asks. While there is robust private- sector privacy legislation that applies to companies when they collect and disclose personal information, Brown says he sees a large gap when it comes to protecting information from cyberattacks. So, unless the companies are collecting per- sonal information in the course of commercial activity, he says, privacy laws don't apply. The result, Brown says, is that there is arguably no legal obli- gation for companies to build, sell or distribute secure prod- ucts. There are also no ongo- ing obligations for companies to make sure that the security of these products is maintained over time. Part of the issue, says Brown, is that the regulations are complex and complicated by the division of powers between the federal and provincial gov- ernments. He points to privacy legisla- tion as an example. In the ab- sence of privacy legislation in all provinces, the federal govern- ment enacted its own legislation to fill the gaps and ensure there is something in place across the country. Provincial consumer protec- tion legislation and sale of goods legislation that imposes statu- tory and implied warranties on products and services typically applies to commercial goods. However, Brown says, wheth- er or not the legislation applies to the security of these newer prod- ucts hasn't yet been tested. Product liability law is largely rooted in contracts and negli- gence, but it includes contracts and warranties, says Nicole Henderson, whose practice with Blake Cassels & Graydon LLP focuses on class action, product liability and privacy/ cybersecurity. It imposes a duty of care upon manufacturers to avoid creating unnecessary risk in putting out a product and to warn of reasonably foreseeable risk that it knows about, she says. The interesting aspect, adds Henderson, is that there's little likelihood that when product liability principles were first de- veloped that lawmakers would have foreseen them being used in this way. She points to the almost- century-old seminal product liability case Donoghue v. Ste- venson, which was a United Kingdom House of Lords de- cision that set out the modern concept of negligence and the obligation of duty of care. At is- sue was a snail found in a bottle of ginger beer. "To some extent, we find our- selves trying to consider how those same principles would ap- ply to a smart watch, to a smart thermostat, to anything else," says Henderson. FOCUS A FIRESIDE CHAT WITH THE HONOURABLE THOMAS CROMWELL AND THE HONOURABLE DENNIS O'CONNOR The Art of Advocacy and the Road Ahead Followed by a Wine & Cheese Soirée WHEN Wednesday, June 6, 2018 Fireside Chat 5:30 – 6:45 p.m. Soirée 6:45 – 7:45 p.m. Register now or contact us at tlaonline.ca | info@tlaonline.ca Untitled-1 1 2018-05-08 4:41 PM See New, page 13 Shaun Brown says product liability laws allow lawsuits if an unsafe product leads to injury. I think what you're really seeing a lot in cybersecurity cases is really an allegation not that the plaintiff has actually been injured but that somehow they're at some risk. Nicole Henderson

• Cover