A New Look at an Old Hot Topic: The Internet of Things | Butler Snow LLP
Thanks to Rachel Bragg, law student at Cumberland School of Law and Summer Associate in our Birmingham office, Summer 2023, for her contributions to this article.
I. Introduction
In 1999, computer scientist Kevin Ashton coined the term “the Internet of Things” (“IoT”) in order to put a name to his idea of using RFID[1] chips to track items as they moved throughout a supply chain.[2] “Though there is no specific definition of IoT, the concept focuses on how computers, sensors and objects interact with each other and collect information relating to their surroundings.”[3] Fast-forward twenty-four years, and the buzzword phrase now describes an interconnected network of devices (“things”) linking various products we use every day. Growing at warp speed, some estimates say 14.3 billion IoT connections existed in 2022, with almost 17 billion predicted by the end of 2023.[4]
For years, attorneys have posed questions about the reach, implications and potential liability of this network, including most prominently:
- What are the privacy concerns that accompany these IoT devices?
- How will traditional products liability law apply to claims regarding these IoT devices?
- How can manufacturers minimize liability before placing IoT devices into the stream of commerce?
As with any other new technology, the legal community anticipated the plaintiffs’ bar would bring a deluge of lawsuits featuring creative theories related to IoT devices. Although we have yet to see the “boom” in IoT-specific suits that we expected, we now have a fair sampling based on over twenty years of lawsuits, technological developments and analysis to review as we look towards the future of litigation in this area.
With the benefit of some amount of hindsight, how can we proactively identify issues arising with IoT devices and data, minimizing liability for manufacturers? How can we, after a lawsuit has been filed, creatively and successfully navigate the IoT legal waters? This article provides practice pointers for reducing the likelihood of lawsuits and for limiting exposure when those lawsuits inevitably arise.
II. Pre-Suit Practice Pointers
Benjamin Franklin famously advised that an ounce of prevention is worth a pound of cure.[5] This is certainly true in the case of minimizing liability before a product reaches a consumer. In the spirit of prevention, what follows are practice pointers for minimizing liability with consumers, competitors, other companies in the supply chain and the government.
A. Set Expectations with Consumers
“The distinguishing feature of today’s Internet-connected devices is a continuing relationship between the product and the manufacturer.”[6] IoT products are more likely to involve post-sale interactions and “communication” (including data sharing and use) between the manufacturers and consumers, distinguishing them from many traditional products. Effective communication is key in any relationship, and the ongoing relationship between a consumer and a manufacturer of an IoT device is no exception.
- Marketing communications about the data that IoT devices collect should be clear, easily accessible and regularly updated alongside any software updates.
- Terms and conditions, licensing agreements, and any applicable warnings should be transmitted in such a way as to maximize the likelihood that consumers will read them, and to provide a defense to failure to warn claims. Options include clickwrap[7] and scrollwrap[8] agreements, warnings on packaging or on products themselves, and written agreements certifying that the consumer has read and understood the agreement.
- Manufacturers should clearly communicate what data they collect, how they use that data and who they will share that data with. This information should be communicated on the front end and should also be made easily accessible to purchasers who forget earlier communications or lose copies of those communications. Though it is beyond the scope of this article, many states also have data privacy laws, like the California Consumer Privacy Act, which manufacturers must also comply with.
- Finally, the importance of an arbitration agreement that is compliant with the Federal Arbitration Act and applicable state law is not to be understated, either for IoT devices or for any other consumer agreements.
B. Stay Apprised of Patents in Your Field to Avoid Infringement
The potential for patent infringement is nothing new. However, with the ubiquity of technology that connects devices to manufacturers, the Internet, and other devices, the risk of unintentional infringement has grown all the more concerning. IoT patents involve areas that are fundamental to many products’ functions and uses, such as resource management, communication, security and information retrieval. Manufacturers should be conscientious about ensuring they do not inadvertently infringe on any applicable patents. On the other hand, manufacturers should also be wary of “patent trolls,” who attempt to weaponize patents in attempts to extract settlements (or sometimes judgments) from alleged infringers, regardless of the merits of any potential claims.
C. Preserve Supply Chain Relationships
Preserving relationships with important links in the supply chain is and has always been crucial for success. The COVID-19 pandemic highlighted both the importance and the precariousness of these relationships. Though there is little any single manufacturer can do to avoid “golden screw”[9] issues, indemnity and licensing agreements can help to preserve these all-important relationships in the event of litigation against any parties to the relationships.
Manufacturers of component parts and finished products (and any other links in the supply chain, for that matter) should have clear indemnity agreements with one another. For example, if a component device malfunctions and causes an injury, it is best for both manufacturers if the decision on liability and the cost of defense is made on the front end rather than litigated between otherwise-friendly manufacturers on the back end.
Similarly, with respect to IoT devices manufactured by one party and using software owned by another party, it is crucial to have comprehensive licensing agreements in place to ensure compliance with an agreement to the specific use of any one party’s software.
D. Prepare for the Worst by Complying with Data Retention Policies
Ensuring that any important and potentially discoverable documents and data are retained can prevent many headaches in the event of litigation. Regardless of the merits of the underlying claim, a missing document that should have been retained pursuant to a document retention policy is likely to cause issues. Missing documents can generate irrelevant and unwanted questions, distract from the real issues, and inflate defense costs.
- Despite the fact that manufacturers certainly don’t need to retain all data indefinitely, to the extent there is a data retention policy in place, compliance with any such policy can spell the difference between routine discovery and drawn-out and expensive spoliation claims.
- Historical marketing communications should be retained in case there is a need to reproduce the exact statements that could have been transmitted to a plaintiff at any given time. The same is true for historical versions of any contracts that accompany a product, or that would have been shared with a customer after a purchase, as well as historical versions of contracts with other parties in the supply chain.
- To the extent any data is collected that could relate to a lawsuit, particularly to any fatal or catastrophic injuries, separate retention policies could be useful in conducting internal investigations, determining other parties potentially at fault and avoiding spoliation claims. Consulting with outside counsel could prove helpful in determining the appropriate retention policies for various types of data.
E. Diligently Ensure Compliance with Applicable Regulations
The rapidly advancing technology used in IoT devices and the plethora of new ways that IoT devices can be used mean that manufacturers need to be aware of new regulations potentially touching on their products. For example, new privacy laws in certain states can change manufacturers’ duties and responsibilities, and IoT-enabled devices can implicate federal healthcare regulations. Though in-depth practice pointers for regulatory compliance are beyond the scope of this article, manufacturers should be meticulous in ensuring that they are complying with all applicable rules and regulations by staying on top of new laws and literature, and, where needed, consulting with experienced legal counsel.
F. Protect Data with Strong Cyber Security Practices
Given the steady rise in hacking incidents, it is crucial for manufacturers who track and retain sensitive information to have strong cyber security policies in place to protect that data. Even though a complete discussion of the best cyber security practices and preventative measures is beyond the scope of this article, it is an issue that should be on every attorney and executive’s radar. Hiring cyber security personnel, training employees on best cyber security practices and ensuring compliance with cyber security policies will continue to be of vital importance for all companies—manufacturers included.
III. Post-Filing Practice Pointers
Given changing products, developing law and the existence of the plaintiffs’ bar, it is impossible to prevent lawsuits altogether. When lawsuits do happen, manufacturers can use the following strategies to minimize their exposure.
A. Get Creative with Using and Analyzing Plaintiffs’ Data
In this day and age, it is safe to assume that almost every individual plaintiff who files a lawsuit has numerous devices collecting their data in ways that could be helpful in litigation. As Butler Snow attorneys Katelyn Ashton and Susanna Moldoveanu noted in their article “The Wearable Witness: Utilizing Apple Watch Data in Civil Litigation”:
These [IoT] devices can compile extensive information on bodily systems—including activity levels, menstruation and fertility, exercise activity and attainment, food consumption, weight, sleep, noise exposure, heart rate, skin temperature, and respiratory rate. They can compile data on location using GPS functionality. And they can even measure vital signs, stress levels, and hydration levels, as well as monitor diseases and chronic conditions. What’s more, this information is compiled and exchanged with little to no user involvement—in many instances, users are not even aware this information is being tracked.
As the proliferation of these devices—and their capabilities—increases, so too does their potential for use in litigation.[10]
Plaintiffs—and particularly, personal injury plaintiffs, are compiling data for defendants whether they realize it or not. Creative outside counsel should be actively looking for ways to use this data in litigation, both to analyze exposure and to poke holes in plaintiffs’ claims.
B. Identify the At-Fault Parties
Identifying which parties (or non-parties) are actually at fault is part of the defense of any lawsuit. That is no different in a case involving an IoT device—though it may look slightly different:
- It is crucial to always ask what party is legitimately at fault, i.e., what or who was the proximate cause of an injury. For example, if an IoT device is hacked, the manufacturer could argue that the criminal or tortious activities of that third party are the proximate cause of the alleged injury. Or, if there was a software malfunction that caused an injury, it is important to investigate whether the software provider should properly be held liable (or is bound by, or protected by, an indemnity agreement).
- Just like any other product, a lawsuit involving an IoT device must involve thorough analysis and discovery of whether the plaintiff is somehow liable for their own injury, either through misuse or abuse of the product, or another theory of negligence. Should the plaintiff have updated the software for their IoT device? Did they use the device as directed? Did the device collect data that can corroborate or contradict their version of events? These are all important questions to ask in framing a defense of an IoT product case.
C. Hold Plaintiffs to their Agreements
The specific terms of what the plaintiff consumer agreed to with respect to the manufacturer should always factor into a defense analysis. Whenever there is an agreement between a manufacturer and a consumer of an IoT device, there is a potential for strategic use in litigation. Many, if not most, agreements between consumers and manufacturers involve arbitration agreements, which, if enforced, could have a substantial impact on the course of a consumer dispute. Also, to the extent there are terms and conditions or a licensing agreement with the plaintiff, those agreements may involve liability limitations or warranty disclaimers, or provide avenues for discovery into the plaintiff’s failure to abide by their own contractual obligations, potentially resulting in a partial or complete defense.
D. Challenge “Novel” Theories of Liability
With new technologies come new theories of liability. Though there are occasions where new technologies should merit new laws, trial court judges are rarely, if ever, in the position to make decisions about what the contours of those new laws should be. Further, plaintiff attorneys are often operating with a knowledge deficit about particular products’ capabilities and limitations prior to discovery. This can result in claims that do not “fit” with particular products or areas of law. Defense counsel must analyze whether theories of liability match with existing law and the facts of a case, and frame their defenses accordingly:
- As to the law, defense attorneys should determine whether a plaintiff’s theories of liability legitimately fit into the framework of existing law. Reviewing jury instructions at the outset of a case can be helpful in assessing the bounds of existing law and framing a defense that a plaintiff’s claims are outside those bounds. For example, has the plaintiff pleaded a nuisance claim regarding an IoT product in a jurisdiction where nuisance law only contemplates claims involving noxious or disruptive intrusions onto real property, and is that a basis for a dispositive motion?
- As to the facts, defense attorneys should learn as much as possible about the product’s capabilities and limitations, and then determine the best time and best ways to educate opposing counsel. Plaintiffs’ attorneys, particularly before discovery begins, may have a lot to learn about IoT products, their capabilities and their limitations. In a case brought by an attorney with a reputation for reasonableness and fair, early settlements, early education on the product’s capabilities might increase the likelihood of a fair and early resolution. Or, education through expert discovery, with an eye to mediation or summary judgment, might be the most effective way to dispose of a lawsuit.
E. Don’t Underestimate the Human Element
Even in this age of growing reliance on technology and artificial intelligence, there is never a substitute for creative thought from a diligent attorney. For example, many cases[11] involving IoT products are resolved in manufacturers’ favor on the fundamental issue of lack of injury or standing. Creatively balancing potential contract-based, tort-based and third-party centered defense strategies at the outset of a case, working collaboratively with an in-house and experienced outside counsel team and conducting a thorough initial investigation are perhaps more important in the complex IoT framework than any other area of product liability law.
IV. Conclusion
Even in an increasingly automated landscape, we are anchored by this simple truth: no technology can replace what results when people think forwardly and arrive at innovative solutions as a team. This is why it is crucial to choose a legal team that is well-equipped to handle the complex IoT landscape, and all the challenges that come with it.
[1] RFID, or Radio Frequency Identification, is a technology that identifies objects via radio waves that can be read remotely without need for visualization or physical contact.
[2] Natalie Marchant, What is the Internet of Things?, World Economic Forum (Mar. 31, 2021),
[3] Antigone Peyton, A Litigator’s Guide to the Internet of Things, 22 Rich J.L. & Tech. 1, 1 (2016).
[4] Satyajit Sinha, State of IoT 2023: Number of connected IoT devices growing 16% to 16.7 billion globally, IoT Analytics (May 24, 2023),
[5] “On Protection of Towns from Fire, 4 February 1735,” Founders Online, National Archives,
[6] Robert S. Peck, The Coming Connected-Products Liability Revolution, 73 Hastings L.J. 1305, 1314 (2022).
[7] “Clickwrap” agreements are agreements that a user accepts by clicking a button confirming that they agree to the contract.
[8] “Scrollwrap” agreements are agreements that a user accepts by scrolling all the way through them before they can confirm their acceptance.
[9] “Golden screw” refers to a critical component part necessary to produce a complete product.
[10] Katelyn Ashton & Susanna Moldoveanu, The Wearable Witness: Utilizing Apple Watch Data in Civil Litigation, For The Defense (2022) (emphasis added),
[11] See, e.g. Cahen v. Toyota Motor Corp., 147 F. Supp. 3d 955, 971 (N.D. Cal. 2015) (no standing where alleged harm was potential for vehicle to be hacked); Flynn v. FCA US LLC, 3:15-cv-855 (S.D. Ill. Aug. 4, 2015) (same, though there was standing with respect to harm of reduced market value of vehicles).