Information security: the new battle ground for building managers
Many of us will have seen the report this week about two researchers who managed to hack into the systems of new cars made by Fiat Chrysler and, through the cars’ entertainment systems, take control of various systems including the GPS and brakes.
With the advent of the 'internet of things' - where all aspects of the home and workplace are interconnected - a single breach or point of failure can prove very costly.
For building managers, it poses the question - who is responsible for the cyber security of those ‘things’? .
The question is important because there is a rapidly growing desire amongst a wide variety of companies to use internet connectivity as a feature in their products. The Fiat Crysler cars are an example of this trend along with refrigerators, blenders, televisions and aircraft.
What does the law say?
As often the case with new technology there’s little by way of legislation that covers this point. Of course the hacking itself is illegal - the Computer Misuse Act 1990 sees to that – but, in our joined up world of the ‘internet of things’, assuming the hacker is unknown - who is responsible for ensuring the security of real physical items? Should it be the manufacturer? The user? Or someone else?
Section 105A of the Communications Act 2003 imposes a legal obligation to take appropriate measures to prevent cyber security breach but only applies to telecommunications companies and ISPs. Similarly, at the European level the Cybersecurity Directive is currently being enacted and will bolster the legal obligations on companies regarding cyber security but again has telecommunications and ISPs as its main focus. The level of security for communication of messages over the internet, seems a little far removed from (for instance) the security of digital commands to the brakes or controls of a car. Can we really expect ISPs to be responsible for the hacking of physical items whilst in use?
What can users and manufacturers do in the meantime?
Between contracting parties – as discussed in a previous in house lawyers webinar, a company can allocate responsibility for a cyber-breach (provided it uses appropriate, explicit wording in the agreement). For consumer arrangements however - the court would need to consider whether any such clause was ‘fair’ in the circumstances.
In the meantime any companies involved in supplying products or services related to the internet of things should ensure they fully understand how their contracts apportion responsibility for a cyber-breach and those wishing to absolve themselves of such responsibility should make sure any contracts make this explicit.
Reproduced with kind permission from Richard Nicholas at Browne Jacobson