By: Meirav Furth-Matzkin.
The “Internet of Things” (IoT) – the internetworking of devices, buildings, vehicles, and appliances – is rapidly expanding. Sensors, actuators, software, and network connectivity are increasingly embedded in everyday products such as smart cars, wearable and portable fitness trackers, and smart home security systems. As IoT products – capable of connecting, collecting, sending, and exchanging data – proliferate, they present not only opportunities but also serious security risks for consumers.
One major concern is cyber security and data protection: As Internet-connected devices gain more popularity, consumers are increasingly exposed to evolving cyber threats. Indeed, IoT devices provide hackers with more vulnerabilities to exploit in multiple environments. The level and type of security risks posed to consumers inevitably depend on the nature of the data and device. In the context of energy, hackers could target smart meters to cause shutdowns, or home security systems could be penetrated and exploited to facilitate burglaries. In terms of health and fitness-related devices, ongoing collection and sharing of personal information may violate patients’ confidentiality and convey sensitive details to untrusted entities. Moreover, a device such as a pacemaker could be hacked, risking the very life of its users. Prominent stories of hacked baby monitors or vehicles reflect a troubling phenomenon of a rapidly-growing and insecure technological landscape. A study by Hewlett Packard in 2014 found that 70% of the most widely used IoT devices contained grave security vulnerabilities.
What happens if third parties exploit these vulnerabilities and hurt consumers? Imagine, for example, the following scenario: A manufacturer of an IoT device experiences a security breach, and the data collected by all of its devices then becomes available to hackers, who are able to place orders fraudulently with innocent’s consumers accounts for various goods. Such hacking can cause significant monetary harm and distress, but the prospect of a hacked car, pacemaker or home security system seems even more alarming.
Under tort law, a manufacturer may be held liable for harm caused to the consumer due to the manufacturer’s negligence or recklessness. Yet, what if the manufacturer includes a liability disclaimer in the fine print, indemnifying her from any liability or disclaiming any warranty that the product is secure and free of viruses or other vulnerable codes? Would the company be liable under such circumstances?
Although the law to date does not explicitly prohibit the use of such contractual clauses in IoT agreements, these terms may be susceptible to ex post judicial invalidation if they are deemed unconscionable, or if the court finds that the consumer did not consent to the company’s terms of service (for example because the terms were buried in the fine print and were not sufficiently conspicuous).
But what if consumers fail to realize that the contractual terms to which they had “consented” can, in fact, be subject to judicial scrutiny and invalidation? Empirical findings reveal that consumers are reluctant to bring claims to court when facing an unfavorable clause – such as an exculpatory clause, choice of law clause, or choice of forum clause – even when such a clause is unlikely to be upheld by the court. In the housing market, for example, tenants feel bound by contractual terms to which they “consented” even when these terms are unenforceable and void according to applicable landlord and tenant law. If this holds true in the context of IoT liability disclaimers, it has important policy implications. Namely, it may be desirable to back regulation with strong enforcement measures. This is because putting the onus on consumers to bring claims when they are taken advantage of is unlikely to succeed if consumers’ beliefs about contract norms tell them they have not been wronged, or if they misperceive the legal status of the fine print in such cases. Accordingly, agencies such as the FTC and CFPB must be prepared to take on the lion’s share of enforcement.
 Dennis P. Stolle & Andrew J. Slain, Standard Form Contracts and Contract Schemas: A Preliminary Investigation of the Effects of Exculpatory Clauses on Consumers’ Propensity to Sue, 15 Behav. Sci. L. 83 (1997); Tess Wilkinson-Ryan, The Perverse Behavioral Economics of Disclosing Standard Terms, 103 Cornell L. Rev. (2017).
 Meirav Furth-Matzkin, On the Unexpected Use of Unenforceable Contract Terms: Evidence from the Residential Rental Market, 9 J. Legal Analysis 1 (2017)