It’s All Connected: Minimizing Litigation and Regulatory Risk on the

Internet of Things

27th Annual All Hands Meeting 2015

October 28-29, 2015

Santa Clara Convention Center

Cheryl Falvey and Greg Call Eve Saltman Crowell & Moring LLP GoPro

• Identify scope of cybersecurity threat

• Categorize compliance obligations

• Issue spot litigation risks

• Discuss in-house counsel role in process

Agenda

Each product raises different regulatory and litigation considerations

Each product raises different regulatory and litigation considerations

Cybersecurity risks

• Unauthorized access/misuse of personal Info

• Attacks on systems

• Creating risks to personal safety

• Theft/compromise of IP

Product Liability

Cyber-security

Privacy

• Identify and classify regulated data and systems to protect from internal and external breach

• Ensure proper governance of people and data including implementing controls, audits and monitoring

• Update privacy and cyber policies and procedures especially with an eye toward vendor access to systems

• Evaluate public facing statements on security and privacy

• Know reporting requirements and response process in the event of an accident -- data breach tool kit

Identify Compliance Obligations

Skin Allergens/Sensitizers

• Additives – PPD or p-Penylenediamine – Cobalt – Glyceryl thioglycolate

• Metals – Nickel

• Elastic Materials • Latex • Leather

– Chromium – Glutaraldehyde

In the Matter of TRENDnet, Inc.

• Corporation must monitor and proactively address security vulnerabilities from any source

“[F]ailure to implement a process to actively monitor security vulnerability reports from third-party researchers, academics or other members of the public.”

• Consent Order, FTC v. TRENDnet (2013)

FTC Expectations and Negligence

FTC Expectations and Negligence

• Corporation must identify vulnerabilities in the design, development and research process.

Identify “reasonably foreseeable, material risks, both internal and external, that could result in the respondent’s unauthorized collection, use, or disclosure of covered information, and assessment of the sufficiency of any safeguards in place to control these risks . . . . In product design, development and research.”

• FTC Order, Snapchat, Inc., 2014

FTC Enforcement

TRENDnet Settlement Terms

• Company barred from misrepresenting its security or the confidentiality of data transmitted by its cameras to consumers

• TRENDnet must designate an employee responsible for security

• TRENDnet must engage with service providers to maintain security of their devices

• Company must create and implement a comprehensive data security program and submit to third-party bi-annual audits

File No. 122 3090, in the Federal Trade Commission

NHTSA Cybersecurity

• Security – Capability of system to resist cyber attacks

• Risks – Potential gaps in the system that can be compromised by

cyber attacks

• Performance – Effectiveness of security systems

• Unintended consequences – Impact of cybersecurity on performance of the system

• Certification – Method to assure that critical vehicle subsystems such as

communications are secure

Cyber Compliance Comparison NIST FTC IoT FDA/Medical Devices

Product Safety (NHTSA)

Identify Security by Design Address cybersecurity during design

Identify owner of security design

Protect “Defense-in-depth” layers of security to address risk

Secure based on risk level

Establish protocols to track “levels of security” in IT and product design across all relevant groups

Detect Monitor connected devices through lifecycle

Implement features within devices to detect breach and maintain functionality

Monitor post-sale incident data

Cyber Compliance Comparison (cont.) NIST FTC IoT FDA/Medical

Devices Product Safety (NHTSA)

Respond Push out security patches immediately upon learning of vulnerabilities

Establish methods for retention and recovery of compromised data

Include identification, elevation and resolution of security issues as part of performance

Recover Provide patches to cover known risks

Determine the level of risk and mitigation strategies/assess residual risk and risk acceptance

Continuous improvement loop in product design

Hypothetical Case

Identify the Litigation and Enforcement Risks

• Enforcement Actions

– Privacy = FTC/State AGs

– Security Around Information = FTC/State Ags

– Security Affecting Safety =NHTSA, FDA, CPSC

• Class Action Litigation

• Individual Claims

• Patent and Trade Secrets Disputes

• Ford reported a “things gone wrong” rate of 500 for every 1000 vehicles;

• consumers experienced “freeze ups,” “crashing,” “black outs,” “nonresponsiveness,” “breakdowns” of the rearview camera and defroster, “inaccurate directions on the navigation system,” and

• technical service bulletins and software updates addressed these problems.

In re MyFord Touch

Emerging Litigation Issues • Typical Claims

– Negligence

– Breach of Contract

– Unfair Trade Practices

– Invasion of Privacy

– Design or Manufacturing Defect

– Breach of Warranty

– State Statutes

• Threshold issues

– Standing to sue (federal court)

– Actual injury or harm (common law claims) 20

Emerging Litigation Issues

• Class Certification Issues

– Rare (dismissal or settlement)

– Claims often turn on individualized issues or causation and damages

– Thus common questions of law and facts do not predominate over questions affecting individual members

• Damages

– Aggregate exposure to nominal damages

– Due process violation?

21

Typical Security Breach Settlements

• Non-monetary relief (e.g., credit monitoring)

• Monetary payments to privacy non-profits (e.g., Privacy Rights Clearinghouse)

• Consent decree requiring security improvements

• Attorneys’ fees to plaintiffs’ counsel

• Capped individual payments to plaintiffs who can prove causation

22

• Misrepresentations and omissions and false advertising

– Reliance

• Reasonable expectation of privacy and consents

• Implied warranties and responsible parties

• Security “vulnerabilities” and standing

Defense Issues

• Monitoring contract language

– Responsibilities, indemnities, warnings

• Building and directing compliance teams to meet the standard of care

• Comparing terms and conditions as well as consents to actual business practices

• Meeting reporting requirements

• Reviewing advertising from product packaging and labels to social media presence

In-House Counsel Role

Questions?

Contact Information

Greg Call Partner Crowell & Moring LLP 415.365.7388 gcall@crowell.com

Cheri Falvey Partner Crowell & Moring LLP 202.624.2675 cfalvey@crowell.com

Eve Saltman Deputy General Counsel GoPro 650.332.7600 esaltman@gopro.com