Out-Law / Your Daily Need-To-Know

Policy makers urged to 'clarify the liability issues related to smart homes' to account for cyber risk

Out-Law News | 03 Dec 2015 | 1:03 pm | 1 min. read

EU policy makers should "clarify the liability issues related to smart homes", the European Network and Information Security Agency (ENISA) has said.

A study published by ENISA identified the "new security challenges" that might face companies that develop new smart home products with wireless connectivity features as part of the internet of things. Energy control gadgets and security systems that can be controlled remotely using mobile devices are among the smart home applications to have already been developed, with no limit to the potential to bring connectivity to other household appliances and items.

ENISA said that "security of the devices and services is not sufficient in a dynamically connected environment" and that the increasing connectivity of household devices raises "safety concerns" and issues around liability for those safety matters that might manifest themselves as a result of hacking.

"For example the loss of control of a thermostat, a smoke detector or a CO2 detector might have consequences on the user safety," ENISA's study said. "The CE marking implies liability for damages or injuries due to defects, but not due to security negligence."

ENISA said it is "important to define liabilities through policy" because "there is no clear incentive to naturally regulate vulnerable solution".

"Policy makers should clarify the liability issues related to smart homes by defining: the liability of industry players in cases of damages or injury, if a compromised device fails to meet its safety goal; [and] the liability of industry players whenever a private data breach occurs," ENISA said.

"Moreover, the European Commission and [EU] member states should clarify: how long companies should be liable for fixing known vulnerabilities; [and] the liability of companies not disclosing, and not fixing, potential vulnerabilities," it said.

A new legal framework should also be developed to regulate disclosures of security vulnerabilities by academics or researchers, ENISA said. The framework should allow companies "enough time to fix vulnerabilities before a disclosure is made" but not give those businesses the power to "prevent or limit the disclosure of a vulnerability … especially when a company does not provide fixes or workarounds to mitigate the associated threat".

ENISA said that addressing issues of liability can help incentivise the fixing of security vulnerabilities by companies.