Smart Home Exhibit @ The Museum of Science and Industry

We have all heard about smart homes and the nirvana they may create. But we hear little about the risks, exposure and liability smart homes may pose. These risks stem from the fact that the standards governing smart home devices and the Internet of Things (IoT) simply don’t yet exist. And to the extent any do, they are not necessarily consistent and the law is not well developed. Nor has it addressed many of the issues raised by the new technologies. So we have a bunch of new devices that are popular, that carry some risks with few standards or laws governing them. Sound like a recipe for litigation?

What Are Smart Homes?

When we talk about smart homes we are really talking about the IoT. The IoT is composed of small and inexpensive but everyday devices like thermostats that collect and share data via wireless connections or Bluetooth with people or with other devices. These connections can automate certain things. So a sensor in the garage door you open when you come home might tell another sensor in your house to turn on the lights and thermostat sensor to change the temperature in the house. (Here’s a link to video from Apple demonstrating a smart home).

When we talk about a smart home, we are really talking about a home equipped with a network of connected products that can control, automate and optimize functions such as lights, electrical outlets, thermostats, ​windows, fans, locks, ​doorbells, appliances, vacuum cleaners, lawnmowers, curtains, pet feeders among others. Not to mention related devices and apps like Amazon’s Alexa, Apple’s Siri, and google voice. The list is growing everyday.

Why Now?

There are three reasons this is happening now: smaller devices, reduced costs, and market opportunity. Right now, there are some 6.4 to 13 billion IoT devices in use depending on whose guessing. Last year, IoT devices generated some $19 trillion in profits; by 2020 its estimated to be 50 trillion.

And there will be more and more of these in homes. Even today 2/3 of consumers say they want a connected home. Its estimated that within 3 years some 43% of homeowners will actually have numerous connected devices in their homes​

And we also have more data being generated by these devices and the potential for greater analytics of that data to tell more things. And with cloud computing there is much more opportunity to aggregate and massage this data.

So, developers want to develop, makers want to sell and companies want to collect, manipulate and even sell all this data. They are all driven to get to market first and capture customers, not security and safety. And therein lies part of the problem.

Risks and Questions

Despite the popularity of IoT devices and smart homes, there are risks associated with these devices that will ultimately lead to exposure and litigation. Some are presented by the hardware, some are presented by the software that runs the hardware, and some are presented by the massive amounts of data generated and collected. Here are some sobering statistics about the IoT in general courtesy of a recent study called The Internet of Hackable Things from researchers at the Technical University of Denmark, Denmark; Orebro University, Sweden; and Innopolis University, Russian Federation (the information was compiled from industry and academic research reports):

  • 90% of devices collected at least some information via the device
  • 80% of devices, and their cloud and mobile components, required no password or the passwords that were required were not complex enough
  • 70% of devices and their cloud and mobile components enabled an attacker to identify valid user accounts through enumeration
  • 70% of devices used unencrypted network services
  • 6 out of 10 devices that provided user interfaces were vulnerable to a range of weaknesses, such as persistent XSS1 and weak credentials

So what’s driving these risks?

First, there are no real consensus standards governing design, manufacture or performance of these devices. UL and other bodies are just beginning to look at these issues.

Second, to the extent there are laws and regulations, they are being enacted by all sorts of different agencies, leaving a hodge-podge and no clear regulatory or legal direction.

​Third, very few cases outline the liability associated with IoT devices and smart homes and how judges and juries may treat liability questions.

Fourth, some of the device are poorly designed and made. The useful life of the device is not communicated and may not even be known by the manufacturer. And there is also little independent product assessment.

Fifth, some devices are being designed and made without considering the risks of the devices being exploited or in common parlance hacked. So, for example, you get baby monitors being hijacked and strangers talking to babies thru the monitors. You get TVs being hacked and held ransom.

Finally, often there is no commitment by the developer to patch and update the software. Think about how often you must update the software of your laptops, tablets and smart phones. These updates provide security from vulnerabilities and problems that are discovered. (As an aside, if you don’t promptly download these upgrades, please do so. They really do protect you). With some devices, we don’t know how and how often updates are planned and under what circumstances.

We may not know how long the company plans to support a product with software security upgrades. We don’t know what a consumer has to do to get upgrades or how to receive them.

Another risk stems from the fact that data from all these devices may be collected and stored someplace else with unknown quality and security controls. So you not only have more data being collected and kept than homeowners ever dreamed- data owned not by the homeowner but by someone else–but you know little about who has it and what they might do with it. And some of this data could be of pretty sensitive stuff. And informed consent as to what can be done with the data is a big issue. We are all used to seeing and agreeing to consent forms for applications (the way these are done begs whether the consent is truly informed) but how do you provide and get consent for devices that may not have a screen.

How do you provide and get consent for devices that may not have a screen?

And finally, as with any unregulated and untested device, there could be lots of potential failure modes that exist for a long time with results ranging from mere annoyance to catastrophic.

​​What are potential claims and exposure?

​Clearly, there could be claims for data breach or privacy violations. While at this point there is a split in jurisdictions whether this loss is something a plaintiff can recover, the trend is for courts to say that privacy has monetary value and you can sue when its lost.

And the FTC has jurisdiction to investigate and penalize unfair and deceptive business acts and believes strongly that inadequate cyber security protections and practices is such an act. It has brought enforcement cases against manufacturers of IoT products used in homes, such as cameras and routers, alleging that they were not adequately secure from data breach.

It’s also, brought proceedings against hospitals, doctors office building owners and businesses in general for not having procedures to protect security. The penalties can be significant.

But biggest concern is what happens if there is a failure-either of hardware or the software and there is a loss. What is the exposure if and when this happens. Certainly, if an IoT product is installed incorrectly or fails, the liability for that is like that of any other product—a roof or HVAC system for example.

But what if the failure results from faulty or unpatched software? There is not much law yet. Is software legally like a product? Is it more like a service? We don’t know. And what if failure occurs because the software was not upgraded or patched and the software developer is long gone? We don’t know: software is not like a product like a part in a HVAC system where if something goes bad and the manufacturer is gone there are still other parts providers.

The few cases that have dealt with these situations turned on what representations were made about the product and software and its capabilities

The few cases that have dealt with these situations turned on what representations were made about the product and software and its capabilities; what representations were made about its security and what disclosures or lack of disclosures were made about the potential risks.

So just with lots of other technologies, the is a gap between the law and new issues created by the technology; another one of many such gaps we face.

Photo Attribution: Brentano via Flickr, Justin Brockle, Boston Public Library

 

 

 

This year’s Clio Conference in New Orleans just concluded. Clio calls itself a cloud based law practice management software company. Every year, it holds a conference with lots of razzle dazzle, speakers and parties. And it always skates where the puck is going.
This year was no exception. While it offered a slew of new products (here’s a good article from Bob Ambrogi on these new ones), here are my top 10 takeaways on the conference itself.

1. If Jack Newton, the CEO and one of the founders of Clio is not the Steve Jobs/Elon Musk of legal tech, I don’t know who is. 10 years ago he created a product, grew it immensely and continues to innovate. Last year he gave us the first comprehensive Survey of the legal profession (see below). This year, a new interface and software program. And to top it all off, he gives us a honest to goodness technology conference with dazzling keynotes, great content, high energy, music, parties and fun. No one else in the industry seems to understand that people are drawn to good presentations, good speakers, welcoming atmosphere and, of yes, music. Clio knows how to succeed in this space better than anyone.

2. Clio is successful because it listens to its customers. 1200 attendees, 150,000 legal professionals using in 90 countries.240 employees in 4 offices. All in less than 10 years. You don’t get there without being attuned to the market and knowing and listening to your customers. Prime example: this year Clio even set up labs where you could go play with the new products and were strongly encouraged to …OFFER SUGGESTIONS. There’s a complicated marketing idea.

3. This year’s theme was transformation. True to the theme, the headline keynotes were chosen with care. The first was from the astronaut, Chris Hadfield, who gave one of the most inspiring talks I have ever heard.

Col. Hadfield talked about how NASA transformed itself starting by accepting President Kennedy’s moon shot challenge (“We choose to go to the moon. We choose to go to the moon in this decade and do other things, not because they are easy, but because they are hard”) and finishing with the miraculously successful moon landing some 7 years later.

 

The next day’s keynote was from Haben Girma, the first deaf/blind person to graduate from Harvard Law School. After listening to her and getting to know her a bit, graduating Harvard Law may be one of her lesser accomplishments, believe it or not (You should see her dance!). Haben showed us that we all have disabilities and that tech and innovation transforms us and helps us overcome them. My favorite Haben quote from her talk “there are always alternatives”.

4. Under the no detail goes unnoticed category: while I know nothing about event planning, the idea of announcing the location of next year’s conference and then offering a special low rate for it an the end of the conference when everyone is jazzed seems brilliant. 50% of those attending next years conference have already signed up…and paid. Wow.

 

Does Clio have its sights on big law?

5. Does Clio have its sights on big law? While Clio is king in the small to mid size market, I suspect its looking to expand to big law. Newton mentioned for the first time that Clio now has AmLaw 100 clients. And that the new Clio software will allow each firm to customize the version for itself. And Clio now integrates with Outlook 365. And its looking at all sorts of data about the profession (which by the way made me also wonder whether Clio is not only going after bit law but may also be ready to take on ALM).When I saw the demo of its new products, I asked the rep why Clio didn’t market more to big law. The answer was the proverbial Cheshire Cat grin.
6. Clio has recognized that instead of a practice management company, it may really be a data and data analytics company. Last year, it mined its massive data and came up with a pretty elucidating survey. This year it improved that survey and asked a lot more questions. While the Survey still shows that many lawyers continue to work too hard to bill and collect too little, it now also shows that most people still find lawyers through referrals. So what’s the key question to ask your clients? Will you refer me to someone else. Find out who your detractors, passives and promoters are and then double down on the promoters. That’s a pretty simple marketing plan driven by data and knowing what questions to ask.

What does the survey show is the main thing clients want? Responsiveness. Frictionless and mobile transactions

 

7. And what does the survey show is the main thing clients want? Responsiveness. Frictionless and mobile transactions. So Clio has initiated Project Hermes to connect with mobile and the cloud and help lawyers reach clients in this frictionless way. Again, using data to Figure out where the future will be and then transforming to get there.
8. While I was listening to all the great speakers and looking at the Survey results among other things it occurred to me that the Survey outcomes and recommendations are not limited to small law but completely scalable to big law. Yet I’m the only big law lawyer at the conference? While I noted the same thing at ILTA, the additional whammy at Clio was that the audience was composed of lawyers—the small and mid size lawyers who may soon kick our big law ass.

Will small and mid size lawyers who may soon kick our big law ass?

9. Clio plans to give some $6 million in free software to law schools, paralegal programs and nonprofits. Clio is also launching a $1 million developer fund to support innovative legal startups and is launching a competition that will award a $100,000 prize to the best new Clio integration between now and the next Clio conference. Obviously designed to do good but also smart business: like Google, Clio is using its muscle to attract future customers, discover innovation and advance integration.
10. Oh and that new product. Its pretty impressive and continues to be cloud based and most importantly visual and simple to use. Clio brags that it encompasses a new design, better performance, better integrations and countless improvements to existing features. But more importantly is how Clio developed it Clio spent hours and hours with lawyers and law firms, talking to its users, testing and monitoring feedback from surveys and interactions.

So that’s my take. Having now attended ILTA, ALM and techShow all in the same year, I couldn’t help but think that of all of them Clio seems the most focused on where the puck is going and skating there the fastest. Its no coincidence that Newton recognized in his keynote that to thrive companies have to reinvent themselves every 5 years. Yet we work in a profession that candidly hasn’t reinvented itself for a long time, if ever. I have a feeling if we ever do, it will be because Newton and Clio dragged us there kicking and screaming. And those who go there first will probably be Clio customers.

Recently I was the subject of a well written post by one of my favorite people, Kevin O’Keefe, in Above the Law. Kevin talked about an idea I had about a better way to handle the kind of work I have historically done: mass tort defense.

 

By way of background, I have spent most of my career defending mass tort actions, either litigation stemming from a single disaster or from non pharmaceutical serial litigation. Continue Reading Collaborative Disintegration: A Better Mousetrap?

It’s been said that bad facts make bad law. If that’s true then those who defend class action data breach cases better buckle down for some stormy seas. The facts surrounding the new Equifax breach couldn’t get much worse.

Equifax knew of the breach months in advance of when it announced it. It failed to take even the most simple precautions to prevent it. One key employee’s user name was reportedly admin. His password: you guessed it, admin. And some are claiming the breach was caused by the failure to keep the Equifax software up to date.

And the information held by Equifax was substantial. Names, addresses, health info, credit info, social security info. The most sensitive and valuable stuff. Not to mention the size: 140 million records were stolen.

And the fact that chief officers sold substantial stock in the company right before the breach certainly doesn’t help. Oh and by the way, if you go to the Equifax to check on your personal situation, you will be directed to a page where you can buy protection from…wait for it… Equifax.

All conduct that has received publicity. All conduct which could and will raise the ire of a judge looking at the case and deciding whether to allow it to proceed against Equifax as a class action.

The big issues is damage. Or better put, the lack thereof. In most data breach cases, its hard to find the more concrete, real damages that most courts are used to seeing in other kinds of cases

By way of background, Courts have been struggling with how to deal with data breach cases. The big issues is damage. Or better put, the lack thereof. In most data breach cases, its hard to find the more concrete, real damages that most courts are used to seeing in other kinds of cases. This makes determining whether standing for constitutional purposes exists a harder question for Courts to deal with.

Ever since the Supreme Court decided Clapper if not before, standing could be satisfied by a showing of actual damages or the “imminent threat” of actual damage. It is one the latter point that the federal circuits have split—some are more liberal and some more conservative. What is an imminent threat of harm when electronic records are stolen but not immediately used for fraud? Do the electronic records themselves and the resulting loss of privacy have value apart from any real use of them?

The plaintiffs argument is that we must force companies to be responsible when they put private records at risk. That privacy is a fundamental right. That its worth something. And that the mere theft of records by the bad guys itself shows the imminent harm—you wouldn’t steal the car keys if you weren’t going to drive the car.

The defense says that data breaches are inevitable and really can’t be stopped. How can you hold a company accountable for something that can’t be prevented? And not all hacks result in financial fraud or real damage. Indeed, so far none of the stolen Equifax information has appeared on hacker forums which could suggest that the breach may not be financially motivated.

And as the data breaches mount, as I recently wrote, more and more Courts seem willing to side with those whose personal information has been purloined even if its not used. And certainly, the more heinous the conduct, the more likely Courts will allow actions to proceed: it just doesn’t seem fair or right that a case against an entities like Equifax should simply be dismissed and that they not be called on to account for their conduct.

the more heinous the conduct, the more likely Courts will allow actions to proceed: it just doesn’t seem fair or right that a case against an entities like Equifax should simply be dismissed and that they not be called on to account for their conduct.

So the pressure on the judiciary, even federal judges appoint for life, will be extraordinary. Can you imagine the news headlines if claims against Equifax are dismissed? The editorial comment? The backlash?

So for all these reasons, this is a situation where bad facts may result in a decision that wouldn’t otherwise be made. Once again, the judiciary will be called upon to make the square peg of technology and what it can do fit into the round hole of existing precedent, even though it doesn’t fit very well. And the solution is not obvious since unlike most disrupters, the bind of precedence it particularly tight on judges and lawyers, making a more creative resolution–perhaps one that stops short of full blown standing but recognizes the potential risk of harm– hard to implement.

Photo Attribution: GotCredit via Flickr.

What  do we call (what I shudder to mention as) “non lawyers”?

One of the interesting by products of the increased use of technology, collaboration and disruption is the panoply of business professionals now serving the legal profession from MBA’s, marketing experts, IT folks and innovators. These professionals and others play an integral role in and for many lawyers either as employees or outsourced resources.

 

Given the innovation and creativity now required to succeed, these folks will be even more valuable in the future.

Ahh but notice I didn’t use the dreaded term “non lawyers” or the slightly less offensive term “staff” in describing these folks.

Continue Reading So What’s In A Name, Anyway?

NetDocuments, the popular web-based document and email management service and premier cloud storage platform, may be sitting on a hidden treasure. I chatted with Leonard Johnson, NetDocuments Product Director, over drinks at the recent International Law Technology Association Conference in Las Vegas. We had planned to talk about NetDocuments’ recent product announcements (I was covering the Conference as a lawyer but also as a contributor to the Lawyerist. But Johnson said something that was intriguing: due to its popularity, NetDocuments is sitting on a ton of unstructured data from emails to memos to pleadings and briefs to all sorts of contracts and formal documents. Continue Reading NetDocuments and Standard Oil

It was on a dreary night of November that I beheld the accomplishment of my toils. … It was already one in the morning; the rain pattered dismally against the panes, and my candle was nearly burnt out, when, by the glimmer of the half-extinguished light, I saw the dull yellow eye of the creature open; it breathed hard, and a convulsive motion agitated its limbs.

Today’s the birthday of Frankenstein. Sort of. It’s actually the birthday of Mary Wollstonecraft Shelley, the creator of creature which is at the center of the story.(In an interesting twist of fate, in the book, it’s is the creator who is actually named Frankestein, not the creature). For those of you who never read the book (I didn’t until recently), it’s the story of the creation of a being and the torment of both the creator and the created as a result. Once he created the being, the creator became frightened and repulsed, not understanding what he had done and what the impact might be. He fled, thus setting both creature and creator on a long bad journey that doesn’t end well for either.

Its often been cited as symbolic of the struggle with and dangers of technology although its really less about that than the struggle of the creator/created. But I guess in a way that struggle is similar to the struggles that we, as a society and as lawyers, in particular, are having with the technology we have created and are creating. We fear it, we fear its impact, we hate it and are repulsed by it. We love it.

“AI is a fundamental existential risk for human civilization, and I don’t think people fully appreciate that”. Elon Musk

 

Somewhat like the creator in the book, Elon Musk, who himself is responsible for technogy in electric cars and space rockets is sounding the alarm about AI saying, “I think people should be really concerned about it,” Musk said. “I keep sounding the alarm bell.”

Similar fears are echoed by Stephen Hawking who says bluntly, “The development of full artificial intelligence could spell the end of the human race”. Ironically, Hawking is using a new system developed by Intel to speak that’s based on program that learns how the professor thinks and suggests the words he might want to use next. In other words, AI.

Technology and AI. We fear it. We hate it. We love it.

And this love hate relationship is even more evident in the legal profession. Some lawyers treat technology like Frankenstein. I don’t need it, I don’t want it, I don’t understand  it. In other words, I fear it and I ain’t going to learn about it. Some lawyers-often more experienced ones-are so empathic about this that they proudly and publicly brag to everyone their lack of knowledge. As if being a Neathandral is impressive to clients and others. (P.S. It’s not.).

Perhaps its no wonder we have this love-hate relationship with technology: we generally confuse the creator (the Frankenstein of the book) with the created (which is generally called and thought of as “Frankenstein”). The same is true of technology-we create it and then damn the very thing we had created confusing what we are with what we have created. Ruled by fear and remorse, Frankenstein’s creator fled once he created his “creature” without considering what his fear and ignorance would cost in the end. Or what good could come from his creation.

The technology genie (or, if you prefer, the technology “Frankenstein”) is already out of the bottle. Its been created and will continue to develop. As a profession, we can’t flee it or ignore it. We can only embrace it.

Photo Attribution

Photo 1: Insomnia Cured Here via Flickr

Photo 2: IowaPolitics.com via Flickr

 

 

 

 

Perhaps the biggest news out of the 2017 International Legal Technology Association (ILTA) Conference happened before it even started.

ILTA describes itself as a “volunteer led, staff managed association with a focus on premiership.”

ILTA is primarily made up of large law firms and better known legal technology vendors. At this year’s conference, for example, there were lots of legal professionals from well known and well heeled law firms, few legal start ups and few practicing lawyers.

A year ago, ILTA lost its Executive Director to retirement right before its annual Conference. In March of this year, Dan Liutikas was named Chief Executive Officer. Dan was formerly with CompTIA, also a trade association for the information technology industry. He has a reputation for innovation and decisiveness.

In one of his first public acts, on Friday, August 4, the virtual eve of this year’s conference, ILTA let go Peggy Wechsler, the Director of Programs and Strategic Relationships who was the primary organizer of the annual conferences since 1998.

To many, she was the face of the organization. Continue Reading ILTA Fireworks

I just returned from the International Legal Technology Convention in Las Vegas. ILTA is big law’s technology association; the conference is ILTA’s biggest of the year and attracts vendors and law firm IT professionals. It has keynotes and educational sessions and not a few networking parties.

This was my first time at ILTA and I wore 2 hats: one hat was that of a practicing lawyer, one of the few in attendance, a fact which, as I discussed in a recent Lawyerist post, makes little sense.

Continue Reading What I Did on My Summer Vacation…. Tracking the TechLaw Crossroads