Date: Tuesday, October 3rd, 2017 by Michaela Hickson.
Insurers underwriting product liability and recall risks face an unpredictable future. In addition to uncertainty as to the post-Brexit legal framework, rapidly changing technology is transforming every product sector and throwing up new insurance and legal challenges. The recent roundtable Global Insurance Law Connect member firm, BLM, hosted in conjunction with the London Market Claims Club (LMCC) considered both the potential issues raised by Brexit for product liability insurers and also the legal framework struggling to keep pace with technological change – is the law still fit for purpose.
Few fields of law are so dominated by law and regulation derived from or influenced by EU law as product liability. The Consumer Protection Act 1987 (CPA) implemented the EU Product Liability Directive and our courts look to the European Court of Justice to provide guidance and precedent on interpretation. Product and consumer safety rules and regulations are governed by EU Directives across sectors, while the consistency of surveillance, for example RAPEX, depends upon EU co-ordination.
Meanwhile, issues of jurisdiction, enforceability of judgments and applicable law are determined to a significant degree by civil and commercial instruments within the EU system of civil judicial co-operation. The UK Government has proposed a cross-border civil judicial co-operation framework which seeks to maintain the vast majority of the existing framework and indeed the Great Repeal Bill will convert directly applicable EU law to UK law. The Government has said “The UK will therefore seek an agreement with the EU that allows for close and comprehensive cross-border civil judicial co-operation on a reciprocal basis, which reflects closely the substantive principles of co-operation under the current EU framework.”
However, all is subject to negotiation and raises potential problems. For example, the CPA focusses upon the liability of a producer or importer into the EU. Where a policyholder imports goods from an EU country, or exports goods into the EU as a manufacturer, how will the law address potential liabilities after March 2019? Similarly, how can there be consistency in the approach to regulation of products where producers have no certainty as the application of Regulations, whether applicable to medical devices, toys or food.
Dealing with varying approaches by regulators is nothing new for product liability lawyers or producers and their insurers, even within the EU. Obtaining local advice to ensure compliance with regulator’s requirements is always the safest option but a new layer of uncertainty will be introduced post-Brexit.
Further tightening of product safety regulations is underway within the EU and new rules on general product safety are expected in the near future. The Medical Devices Regulation 2020 is already in force but formally takes effect from 2020. The impact on the regulation of medical devices and the move to the life cycle approach of US regulators, including the regulation of software in new technology, shows a significant change.
Similarly the General Data Protection Regulation 2018 introduces new requirements which impact on products including artificial intelligence. In February this year the European Parliament adopted a resolution with recommendations on civil law rules in respect of robotics, proposing a compulsory insurance scheme for specific categories of robots, a compensation fund, a comprehensive review of the legal framework and the possibility of a specific legal status for robots as an “electronic personality”. The UK may simply adopt these measures in the future. But if so, will there be the chance for the UK to contribute substantively to the process or manage the impact?
The law may not be fit for purpose in view of the increasing reliance on the Internet of Things (IoT), digital content and autonomous vehicles. By 2020 there will be 25 billion IoT devices. The previously introduced Vehicle Technology and Aviation Bill (now reintroduced during the Queen’s Speech as the Automated and Electric Vehicles Bill) is another step on the path to widely available autonomous vehicles by 2025.
Such technologies have obvious scope to go wrong and the most obvious example is hacking with the number of cyber-attacks rising dramatically. Any consumer product that functions with software and/or a connection to internet is potentially vulnerable to hacking. Further, the desire for speed to market without thought to any and all existing threats can lead to inadequate security to address vulnerabilities (e.g., default passwords, lack of encryption, etc.).
There are many high profile examples: an attack on a computerised waste management system in Australia in 2000 caused millions of litres of raw sewage to spill into rivers, etc.; in 2014 an attack caused overheating of a furnace in a German steel mill leading to millions of pounds worth of damage; in 2015 it was demonstrated that Jeep Cherokees could be immobilised, caused to accelerate or brake and their steering wheels turned; in the same year there was an attack on computers that controlled centrifuges used to refine uranium in Iranian nuclear facilities; government issued guidance on 18 September warning that cruise ships could be sunk by cyber terrorists by distorting mapping or gaining access to the ship’s controls; and the BBC recently reported that certain pacemakers could be caused to pace too quickly or run down their batteries.
But Joe Weiss, author of Protecting Industrial Control Systems from Electronic Threats, says that “The Internet of Things introduces new vulnerabilities even without malicious actors” because the internet is controlling industrial systems, the energy grid, medical devices in hospitals and smart-home systems, etc., and was never intended to control any of these things.
Indeed, the US National Transportation Safety Board (NTSB) recently found that Tesla’s Autopilot system was partly to blame in the well-publicised fatality involving an automated Tesla Model S which collided with a lorry. There are other worrying examples: healthcare apps have been recalled where the calibration was incorrect; Fitbit faces a class action in respect of the accuracy of its heart monitor; and a problem with Google Nest thermostats drained the battery and sent homes into a chill, raising the threat of freezing water pipes.
These kinds of problems raise some challenging legal issues. For example, does digital content count as a ‘Good’ or ‘Product’? This question was partly addressed by the recently introduced Consumer Rights Act 2015 (but only for consumers). Prior to the introduction of that Act, pure digital content (i.e., not sold on a physical format) was not considered to be a ‘Good’ for the purposes of Sale of Goods legislation. And the issue remains for the Consumer Protection Act 1987 (CPA) which deals with ‘Products’. The EC recently considered this very issue as part of its review of the Product Liability Directive (from which the CPA is derived).
The courts may also need to consider what level of safety and security a person is entitled to expect with regard to digital content. The recent case of Wilkes v DePuy (2016) EWHC 3096 (QB) tells us that cost/benefit analyses and compliance with relevant standards can be taken into account – but there is a dearth of standards relating to safety and security of digital content. Further, all software tends to be buggy; and no device is 100% secure (or bomb proof). We expect periodical updates; and, indeed, the fact that a product can change over time (perhaps because it is updated; or because it contains artificial intelligence that can learn) introduces its own legal issues (since safety is traditionally assessed at the time a product is placed into circulation). Would insufficient security even be capable of amounting to a ‘Defect’ for the purposes of a CPA claim? Should lack of security be equated with lack of safety? The determination of this question is likely to be very fact specific and will depend on the type of product, its purpose and the expectation that security will be included.
Lastly, we may also need to consider whether a producer could or should be liable for the actions of a hacker. Generally the deliberate/malicious acts of a third party will break the chain of causation. But there remains scope for a claim where, for example, the purpose of the product was (at least in part) to secure against hackers and where it failed to do. Again, the determination of such issues will be very fact specific.
The types of incidents envisaged also call into question the line between cyber and product liability. Typically, cyber policies respond to data breaches and privacy claims and can exclude the destruction of tangible property and bodily injury. A Product Liability policy could respond to the latter. Many policies include a General exclusion relating to losses caused by hacking, viruses, etc.; but such exclusions may not be sufficiently broad to cover all scenarios leaving a so called ‘Silent Cyber’ risk (or non-affirmative cyber risk). Indeed, in July this year the Prudential Regulation Authority (PRA) set out its expectations for the prudent management of cyber risks in a supervisory statement including recommending robust assessments of non-affirmative cyber risk exposures. The line is becoming increasingly blurred which increases the need for Product Liability lawyers and underwriters to understand cyber-type technologies and risks in policyholders’ products and the supply chains involved.
Jim Sherwood, Partner
Tel: +44 (0)20 7865 3376
Email: [email protected]
Daniel West, Associate
Tel: +44 (0)20 7457 3550
Email: [email protected]
Our vision and focus is to use the strength and depth of our company to help our clients reduce the time and money they spend on managing risk. If you need a global group of legal advisers, delivering a creative, commercial and specialist service, talk to Global Insurance Law Connect today.
Contact: +44 (0)20 7870 4852