Date: Wednesday, June 21st, 2017 by Aneesah Atallah Frost.
As the use of technology in industry and the home grows, there has been focussed attention on the potential risks of digital content causing property damage or injury. Do insurers understand the product liability risks – what is digital content, how does it work and how do you identify the cause of problems when they occur? What about the legal liabilities? How does new legislation impact on potential causes of action and are regulators able to keep up with the swift evolution in products and the potential safety of consumers and potential for damage to property? How should insurers respond in terms of policy cover and exclusions?
The pace of change is remarkable. The Internet of Things was coined as a phrase only 17 years ago in 1999 when smart devices were first emerging. The first smart phones appeared in 1999 and contained a single sensor valued at $25 – new models contain numerous sensors costing less than 10p each. By 2020 it is estimated that for every person on the planet there will be forty devices connected to the internet.
The potential benefits for society are clear. Healthcare will be revolutionised by wearable and implantable devices monitoring health metrics and feeding information to healthcare professionals; our lifestyle will be improved immeasurably by smart devices in the home and the potential for smart cities; we are assured driverless cars will ensure motor accidents are a thing of the past. The potential for gathering or harvesting data will provide insurers with opportunities for assessing risk and tailoring their products to a changing commercial and social market.
But what happens when things go wrong? We are told those same smart phones contain hardware originating from 24 primary suppliers from three continents. If products fail, the challenges for identifying issues and pursuing recovery quickly become apparent.
The fatality involving a Tesla vehicle highlighted the potential threats as vehicles evolve towards complete automation. Healthcare apps have been the subject of recalls where calibration has been incorrect while a class action in the US in respect of Fitbits alleges that the information provided is inaccurate. Lawyers in the USA publicise issues with Google Nest Thermostats with the aim of pursuing a lawsuit focusing on defects in the software which are alleged to have caused frozen pipes and property damage.
The UK Government recently put forward the Vehicle Technology and Aviation Bill (formerly known as the Modern Transport Bill) following a consultation to which BLM – working closely with the ABI – contributed. The Bill extends compulsory motor insurance to include automated vehicles in automated mode and creates a new cause of action against the insurer of the autonomous vehicle meaning that victims (including the disengaged driver) can continue to claim against a motor insurer (despite that the owner is not at fault) and will not face having to make a product liability claim against manufacturer. The insurer then has a right of recovery against the manufacturer. (Having said that, the Bill was shelved due to the general election and we shall wait to see whether it re-emerges ‘as was’ in due course).
As the industry evolves, what are the risks and challenges for insurers?
A new field of expertise has emerged. Digital content is quite difficult to define although is nothing new. Experts suggest that the main issue with digital content is when a party may move away from monitoring information to actually controlling devices and environments. This is where the current technology has raised the level of possible failure and impact.
There may be hundreds of reasons why a digital communication/instruction could be unsuccessful. Identifying the root cause of an issue is challenging given the number of chains and links in the chains of communication. Often evidence of any failure has already been deleted. There is a stark difference when dealing with these issues in contrast to evaluating content from data centres. Thus it is impossible to look at a smart phone and confirm why something did not send or, if it did, what route it took.
A communication may reach a home router in a smart domestic device and the router may be full. From a router a communication would go to a network, the Wi-Fi repeater and then to the controller. If this route does not work, it may be caused by human error, perhaps entering the wrong temperature in a smart thermostat controller if the software is not smart enough to notice this and request confirmation.
Wi-Fi is not infallible and depends on coverage. Nothing is 100% reliable and we cannot be certain that a communication message will reach the smart device. Further, the control device may have received an upgrade which may not accept the format which the data arrives in.
In attempting to unravel a particular liability scenario, experts suggest that analysis would need to work backwards from the event, checking each link in the chain in order to track back to the original communication. However, there may be many possible reasons why a failure has occurred – working up the chain from as close to the event as possible is the only logical method although by the time you may reach the phone message, there may be many undefinable links.
Particular networks may carry out work on the hardware but commit little resource to apps. Experts raise concerns as to the extent and level of quality assurance in respect of the apps.
A key issue is the availability and access to data which may assist forensic analysis identifying where a fault may have occurred. Something similar to a black box is required to record what has happened – tech firms rarely build in security and do not keep records, making it difficult to track backwards over the chain of communication. Mobile phone companies store data for 12 months minimum but mobile phones themselves store data for a very short period. If regulators want to push for greater accountability, they will need to pressure manufacturers to ensure adequate storage and audit trails.
What is clear is that there is good reason to front load investigations. Data may only be available for a short period and money spent to secure logs of information is likely to be well spent in certain circumstances. The difference between consumer based and corporate based technology may be a sophisticated system of logs and alerts although experts believe that the line between consumer and corporate security is now blurred. There may be a top end home automation systems which would keep some form of log which could be interrogated for the purpose of fault finding and/or in order for the device to learn and become smarter.
Regulators acknowledge that the area of smart devices and domestic Internet of Things safety is a major challenge. UK trading standards officers have suggested that smart device investigations present a major challenge, and that while there is always some traceable footprint this may only provide potential for investigation for a matter of days or even hours.
In respect of accessing data records, more devices are becoming gateway devices, hosting through cloud and data centres that are hosted globally. From an enforcement perspective, unless data is hosted in the UK, trading standards has no jurisdiction to obtain data and no powers to do so. However it is accepted across the trading standards profession that increased standardisation will be required.
However, UK trading standards officers report that the market is flooded with non-compliant products. A major challenge is funding for public authorities. The busy port of Folkestone has only three full-time officers inspecting incoming cargoes.
While the current government has promised reform to the product recall process, and the Consumer Rights Act 2015 (“CRA”) has introduced new laws in respect of digital content, uncertainty produced by Brexit together with the reduction of funding has only caused increased uncertainty and challenges for regulators in a fast evolving sector cannot be underestimated.
There are potential causes of action in negligence, for breach of contract and under the Consumer Protection Act 1987.
The law relating to digital content (or software) has historically not been well explored. The case law relating to, for example, the applicability of Sale of Goods legislation to digital content, has been tentative and subject to criticism.
It is likely that developers of digital content owe a duty of care in negligence to end users to take reasonable steps to ensure that any content supplied is safe, but a claimant would need to show carelessness and it would be a defence for a creator of digital content to show they took all reasonable steps to ensure that the content was safe, e.g., by testing the content for bugs. Claimants tend to prefer causes of action where a version of ‘strict liability’ applies, i.e., where they need only show that there was something wrong with the digital content and that this caused them damage.
Claimants have sought to argue that digital content is not of satisfactory quality or fit for purpose in breach of the implied terms incorporated into contracts for the supply of goods by traditional Sale of Goods legislation. But, prior to the introduction of the Consumer Rights Act 2015 (“CRA”), ‘goods’ and ‘products’ were defined by the courts as tangible, physical and moveable objects. And digital content is not tangible, physical or moveable. Further the courts have also distinguished between digital content provided on a physical medium/as part of a product and ‘standalone’ digital content provided in a purely digital format (i.e. downloaded).
In respect of the latter, the courts have been reluctant to say that there has been any ‘supply’ at all (see St Albans City and District Council v International Computers Ltd). There is also a distinction between standardised digital content (‘off the peg’) and bespoke/tailored digital content. In St Albans the court suggested it would have been prepared to treat off the peg software as the supply of goods provided it was supplied on a physical medium; but for bespoke software the courts have suggested this should be treated as the supply of a service, not a ‘good’ (Salvage Association v CAP Financial Services Ltd).
The same issues would probably apply to a claim under the Consumer Protection Act 1987. Digital content will likely only be considered a ‘product’ if it is both ‘off the peg’ and supplied on a physical medium.
Perhaps to address this apparent lacuna in the law, the Consumer Rights Act deals specifically with digital content. The Act came into force on 1 October 2015 and applies to contracts between a “trader” and a “consumer” and so creates a distinction between such contracts and ‘business to business’ contracts, the latter of which is still covered by the older Sale of Goods legislation.
The CRA deals specifically with digital content and creates new protection for consumers in this context. Digital content is defined to encompass a wide range of products (including mobile phone apps) provided the content has been paid for or was supplied with something else that the consumer has paid for. The Act implies terms into any contract for the supply of digital content that it must be of satisfactory quality, fit for a particular purpose and as described (thereby mirroring the protection previously only afforded to tangible, physical goods). If the digital content is not of satisfactory quality then the Act provides that the consumer can claim damages for breach of contract.
The European Commission is currently carrying out one of its five year reviews of the Product Liability Directive including whether the key features of the Directive – e.g., the definitions of ‘defect’ and ‘product’ and the defences – remain “still fit for purpose” in view of advances in technology. BLM is contributing to this consultation including the Commission’s review of whether the definition of ‘product’ would or should include digital content and software.
Jim Sherwood, Partner
+44 (0)20 7865 3376
Daniel West, Associate
+44 (0)20 7457 3550
Our vision and focus is to use the strength and depth of our company to help our clients reduce the time and money they spend on managing risk. If you need a global group of legal advisers, delivering a creative, commercial and specialist service, talk to Global Insurance Law Connect today.
Contact: +44 (0)20 7029 4238