Fast Forward: Hot Technology Law Topics May 24, 2016

1

Overview/Agenda

• An Internet of Things (IoT) Panorama: What is IoT, what’s driving it, and who regulates it (David Bodenheimer)

• IoT on Trial: disrupting discovery, mass torts, and product liability (Steve Teppler)

• Big Data and the Cloud: why you need an umbrella (Karli Swift)

• IoT Security and Privacy Risks (Lucy Thomson) • Autonomous Vehicles, Drones, and Robots:

compliance, liability, and information governance (Steve Wu)

• Takeaways (All)

2

Panel

• Ruth Hill Bro (Moderator), Privacy Attorney, Chicago; Membership and Diversity Committee Chair and Past Section Chair, SciTech Section; ruth.hill.bro@gmail.com

• David Z. Bodenheimer, Partner, Crowell & Moring LLP, Washington, DC; Co-Chair,

Security, Privacy and Information Law Division and Section Vice- Chair, SciTech Section

• Karli Swift, Associate, Baker, Donelson, Bearman, Caldwell & Berkowitz, Atlanta; Co-Chair, Big Data Committee, SciTech Section

• Steven W. Teppler, Partner, Electronic Discovery & Technology Based Litigation, Abbott Law Group, P.A., Jacksonville, FL; Chair, Internet of Things Committee, SciTech Section

• Lucy L. Thomson, Founding Principal, Livingston PLLC, Washington DC; Co-Chair, Security, Privacy and Information Law Division and Past Section Chair, SciTech Section

• Stephen Wu, Of Counsel, Silicon Valley Law Group, San Jose, CA; Past Section Chair, SciTech Section

3

What is IoT, What’s driving it, & Who regulates it?

David Z. Bodenheimer Crowell & Moring LLP (www.crowell.com)

dbodenheimer@crowell.com

An Internet of Things Panorama:

4

SciTech 2006 The SciTech Lawyer (2006)

SciTech 2016 Internet of Things • Too Big to Regulate? • Too Ubiquitous to Miss? • Too Fast to Keep Up?

Peering Far into the Future

5

• More Devices than Humans – 25 Billion Devices 50 Billion (2020)

• 127 Devices/Second – Devices added to Internet (5.4M/day)

• $11 Trillion Global Economy – $2 Trillion (2016) – $11 Trillion (2025)

IoT Technology Tsunami

6

• What is the Internet of Things? – Definitions & Examples

• Why do we care about IoT? – Benefits & Risks

• How is IoT regulated? – Congressional & Regulatory Oversight – Challenges & the Future

Internet of Things?

7

White House Report

“The ‘Internet of Things’ is a term used to describe the ability of devices to communicate with each other using embedded sensors that are linked through wired and wireless networks.”

What is IoT?

8

Other Definitions

• FTC Report (2015) – Various experts

• CRS Report (2015) – Broadly defined

• NIST Guide (2016) – Being defined

What is IoT? The Real Answer

“Ask me what the Internet of Things is. My usual answer is, ‘I don’t know.’” Senator Fischer quoted in Politico (June 29, 2015)

9

By Example • Smart Homes

– HVAC, lights, locks • Healthcare

– Inhalers, monitors • Smart Cities

– Pollution monitors & transportation

IoT = Smart!

More Examples • Smart Farming

– Sensors, drones

• Energy – Clean tech

• Industrial Uses – Factory sensors – Predictive O&M – Supply chain

What is IoT?

10

Senate Res. 110

• Economic Impact • Consumer Benefits • Business Efficiencies • Smart Cities • Innovation • Global Competition

[S. Res. 110 (Mar. 24, 2015)]

Why care about IoT?

11

Benefit Cornucopia

• Economics -- $$$ – $2 Trillion (today) – $11 Trillion (2025)

• Business Efficiencies – 10-20% energy

savings – 10-25% labor

efficiencies

And More • Consumer Benefits

– 95% auto accidents – Nursing home glut – $1.1 Trillion remote

monitoring savings

• Global Innovation – U.S. leadership – Global competition

Why care about IoT?

12

Risks Unlimited? • Cybersecurity

– 25 billion devices – 50 billion by 2020 – Automated links – Supply chain length – Cyber espionage

“every node, device, data source . . . a security threat” [DHS IoT (Dec. 2015)]

Why care about IoT? And More?

• Privacy – Zettabytes of data – All transport – Smart cities – IoT + drones – Surveillance

*FTC Report *CRS Q&A *Hill Hearings

13

Patchworks

• Privacy Patchwork – HIPAA (healthcare) – GLB (financial) – FERPA (educational) – Privacy Act (federal)

• Cyber Patchwork • FISMA (federal) • HIPAA/GLB, etc.

Who regulates IoT? Integrated Tech

• IoT + Drones – “Next trillion files” – FAA regulate?

• IoT + Cloud – Big Data = Bigger – GSA & FedRAMP?

14

• Congressional Committees – “more than 30 different congressional

committees” [Politico (June 2015)]

• Congressional Hearings – Senate Commerce (Feb. 2015) – House Commerce (Mar. 2015) – House Judiciary (Jul. 2015)

Who regulates IoT?

15

Federal Agencies • FCC

– Spectrum management • DHS

– Critical infrastructure • FTC

– Consumer devices • FDA

• Medical devices

Who regulates IoT? And More

• DOE – Smart grid

• DOT – Connected cars

• DOD – IoT advanced tech

• DOJ – Law enforcement

16

NIST Publication

“However, the current Internet of Things (IoT) landscape presents itself as a mix of jargon, consumer products, and unrealistic predictions. There is no formal, analytic, or even descriptive set of the building blocks that govern the operation, trustworthiness, and lifecycle of IoT. This vacuum between the hype and the science, if a science exists, is evident. Therefore, a composability model and vocabulary that defines principles common to most, if not all networks of things, is needed to address the question: “what is the science, if any, underlying IoT?” [NIST, Draft NISTIR 8063 (Feb. 2016)]

Who regulates IoT? Privacy of Things

“The Internet of Things (IoT) will create the single largest, most chaotic conversation in the history of language. Imagine every human being on the planet stepping outside and yelling at the top of their lungs everything that comes into their heads, and you still wouldn’t be close to the scale of communications that are going to occur when all those IoT devices really get chattering.” [Geoff Webb, How will billions of devices impact the Privacy of Things? (Dec. 7, 2015)]

17

IoT in 2016

IoT in 2017

• 1.9 Billion More Devices • Another $2 Trillion • More Hill Scrutiny • Expanded IoT Regulation • Harder Cyber Issues ABA IoT National Institute April/May 2017 Washington, DC

IoT in Your Future

18

The Internet of Things on Trial: Disrupting Discovery, Mass Torts and Product liability

American Bar Association Section of Science and

Technology Internet of Things Committee

Hot Topics Call May 24, 2016

a.k.a. - More of the same things change…

Steven W. Teppler Abbott Law Group, P.A.

19

What is the Internet of Things (a.k.a. “IoT”)?

• A proposed development of the Internet in which everyday objects have network connectivity, allowing them to send and receive data – Objects can be physical or logical

20

Another IoT Definition

• The Internet of Things (IoT) is the interconnection of uniquely identifiable embedded computing devices within the existing Internet infrastructure. Typically, IoT is expected to offer advanced connectivity of devices, systems, and services that goes beyond machine-to-machine communications (M2M) and covers a variety of protocols, domains, and applications. The interconnection of these embedded devices (including smart objects), is expected to usher in automation in nearly all fields, while also enabling advanced applications like a Smart Grid. (From Wikipedia)

21

A Brave New World - of Disruptive Technologies

Pervasive Computing

Social Networks

Mobile Computing

Big Data

Internet of Things Cloud

Computing

Augmented & Virtual Reality

Artificial Intelligence& Robotics

3D Printing & JIT

Manufacturing

Privacy & Security

Technologies

Wearable Computers

22

Some Factoids: Where IoT is Headed

23

And that’s not all… The Internet of Things includes:

24

IoT Concerns - Security

– Some say that if one thing can prevent the Internet of Things from transforming the way we live and work, it will be a breakdown in security.

25

Existing and New Security Issues

New Business Associate Compliance Requirements

26

Driverless Cars

27

Telepresence Robots

28

Drone Commercialization

29

Drone Video and Images

30

Mobile Health Revolution

31

Automotive Platforms

32

Security Risks

33

Another Explosion of Information to Curate

• Business Intelligence • Business Continuity • Regulatory Compliance • Preservation • Litigation

34

Challenges for ERM Professionals IoT and Document Retention

• What is an IoT “document” or “record?” – Identify and evaluate IoT information for proper

incorporation into a document retention policy

35

Challenges - IoT and Electronic Discovery

• ESI Preservation • Identification • Collection • Production

36

Challenges – Mass Liability Potential

– The size, monoculture (uniformity), insecurity, and

non-standardized coding and manufacture of connected devices and services provided through them puts millions of users of the “Internet of Things” at risk for serious injury and financial harm on a massive scale

– Consider 25 billion connected devices by 2020 • https://www.ftc.gov/system/files/documents/reports/federal-

trade-commission-staff-report-november-2013-workshop-entitled-internet-things-privacy/150127iotrpt.pdf

37

Internet of Things – That Can/Will Give Rise to Liability… and to eDiscovery Issues

38

IoT Liability Concerns – Why?

• Coding for these devices is often a one time event, will become

obsolete and ultimately fail to properly work, either through neglect (no upgrades) or through faulty initial design

• Testing of these devices is unregulated, unaudited and generally not disclosed (so what is the MTBF for an IoT?)

• Coding for these devices is unregulated, unaudited, and subject to little if any quality control

• Security (and security standards) for these devices have yet to be adopted or even developed

• Most IoT devices have no logging mechanisms to record failure or malfunction events

39

Questions?

Thank you

Steven W. Teppler steppler@abbotlawpa.com

40

Big Data and the Cloud: Why You Need an Umbrella?

Karli Swift Baker Donelson

kswift@bakerdonelson.com

41

Overview/Agenda

• Introduction to Big Data and Cloud Computing • Legal Implications

– Notice and Consent – Ethical Issues – Key Contract Terms

• New Developments

42

Introduction to Big Data and the Cloud

43

Big Data

– Retailer adjusts pricing in near-real time for items, based on demand and inventory using data sets.

– Thermostat learns human patterns to cool or heat

when needed and create a digital record of its operations to activate the HVAC system, and the temperature of the house.

44

It

5

The Cloud

45

Legal Implications

46

Notice and Consent

– Types of Information Collected

– Privacy Policy vs. Terms of Use

– Express vs. Implied Consent

47

Software as a Service

48

Key Contract Terms

– What information is being collected? – Are other laws implicated? (e.g. PHI = HIPAA) – Risk Allocation

• Service Level Agreements • Data Security • Intellectual Property • Indemnification

49

Final Thoughts and Resources

50

New Developments

• Federal Trade Commission Report: Big Data: A Tool for Inclusion or Exclusion?

http://1.usa.gov/1n52gG6

51

Questions?

52

Lucy L. Thomson, Esq. CISSP, CIPP/US/G Past Chair, ABA Section of Science & Technology Law Livingston PLLC Washington, D.C.

IoT Security and Privacy Risks

Thomson © 2016 53

• $3.1 Trillion in 2025 • Smart Cities

Thomson © 2016 54

• Threats – new character • Vulnerabilities – present at every level of

the stack – Documented by NIST Guide to Industrial

Control Systems (ICS) Security, NIST Spec Pub 800-82, Rev. 2 (May 2015)

• Consequences—disruption of operations and services can be catastrophic – Potential cascading failures

IoT Presents New Risks

Thomson © 2016 55

IoT/Big Data—A Torrent of Data at Risk

Massive Data Breaches Create Heightened Risk e-Bay, 145 million records breached (2014) Heartland, 130 million (2008-09) Target, 110 million (2013) Sony Online Entertainment, 102 million (2011) JP Morgan Chase, 76 million (2014) Anthem BlueCross BlueShield, 69-80 million (2015) Epsilon, 60-250 million (2011) Home Depot, 56 million (2014) TJX, 46 million (2006-07) Office of Personnel Management (OPM), 22.5 million

security clearance records, 5 million fingerprints (2015)

Thomson © 2016 56

A Few Hackable Things . . .

• Toys – Hello Barbie

(http://www.theguardian.com/technology/2015/nov/26/hackers-can-hijack-wi-fi-hello-barbie-to-spy-on-your-children)

– Star Wars BB8 (https://www.pentestpartners.com/blog/star-wars-bb-8-iot-toy-awesome-fun-but-can-it-be-turned-to-the-dark-side-with-this-vulnerability/)

– Toy drones (https://www.rt.com/news/hacker-drone-aircraft-parrot-704/) – Commercial and military drones too

(http://www.bbc.com/future/story/20140206-can-drones-be-hacked?ocid=ww.social.link.email)

Home appliances, such as . . . – http://krebsonsecurity.com/2016/02/iot-reality-smart-devices-dumb-defaults/#more-

33751) – Refrigerators (http://thehackernews.com/2014/01/100000-refrigerators-and-other-

home.html) “Smart “ toilets (http://www.forbes.com/sites/kashmirhill/2013/08/15/heres-what-it-looks-like-when-a-smart-toilet-gets-hacked-video/#4545f4352b15)

Thomson © 2016

57

A Few Hackable Things . . .

• Toys Hello Barbie (http://www.theguardian.com/technology/2015/nov/26/hackers-can-hijack-wi-fi-hello-barbie-to-spy-on-your-children)

58

A Few Hackable Things . . .

Toys – Hello Barbie (http://www.theguardian.com/technology/2015/nov/26/hackers-can-hijack-

wi-fi-hello-barbie-to-spy-on-your-children)

– Star Wars BB8 (https://www.pentestpartners.com/blog/star-wars-bb-8-iot-toy-awesome-fun-but-can-it-be-turned-to-the-dark-side-with-this-vulnerability/)

59

A Few Hackable Things . . . .

Toys – Hello Barbie (http://www.theguardian.com/technology/2015/nov/26/hackers-can-hijack-

wi-fi-hello-barbie-to-spy-on-your-children)

– Star Wars BB8 (https://www.pentestpartners.com/blog/star-wars-bb-8-iot-toy-awesome-fun-but-can-it-be-turned-to-the-dark-side-with-this-vulnerability/)

– Toy drones (https://www.rt.com/news/hacker-drone-aircraft-parrot-704/)

60

A A Few Hackable Things . . . . . .

• Toys – Hello Barbie (http://www.theguardian.com/technology/2015/nov/26/hackers-can-hijack-

wi-fi-hello-barbie-to-spy-on-your-children)

– Star Wars BB8 (https://www.pentestpartners.com/blog/star-wars-bb-8-iot-toy-awesome-fun-but-can-it-be-turned-to-the-dark-side-with-this-vulnerability/)

– Toy drones (https://www.rt.com/news/hacker-drone-aircraft-parrot-704/)

– Commercial and military drones too (http://www.bbc.com/future/story/20140206-can-drones-be-hacked?ocid=ww.social.link.email)

61

A A Few Hackable Things . . .

• Toys – Hello Barbie (http://www.theguardian.com/technology/2015/nov/26/hackers-can-

hijack-wi-fi-hello-barbie-to-spy-on-your-children) – Star Wars BB8 (https://www.pentestpartners.com/blog/star-wars-bb-8-iot-toy-

awesome-fun-but-can-it-be-turned-to-the-dark-side-with-this-vulnerability/) – Toy drones (https://www.rt.com/news/hacker-drone-aircraft-parrot-704/) – Commercial and military drones too (http://www.bbc.com/future/story/20140206-

can-drones-be-hacked?ocid=ww.social.link.email) • Home appliances, such as . . .

– HVAC systems – e.g., Trane Thermostat (http://krebsonsecurity.com/2016/02/iot-reality-smart-devices-dumb-defaults/#more-33751)

62

A Few Hackable Things . . . Toys

– Hello Barbie (http://www.theguardian.com/technology/2015/nov/26/hackers-can-hijack-wi-fi-hello-barbie-to-spy-on-your-children)

– Star Wars BB8 (https://www.pentestpartners.com/blog/star-wars-bb-8-iot-toy-awesome-fun-but-can-it-be-turned-to-the-dark-side-with-this-vulnerability/)

– Toy drones (https://www.rt.com/news/hacker-drone-aircraft-parrot-704/)

– Commercial and military drones too (http://www.bbc.com/future/story/20140206-can-drones-be-hacked?ocid=ww.social.link.email)

• Home appliances, such as . . . – HVAC systems – e.g., Trane Thermostat

(http://krebsonsecurity.com/2016/02/iot-reality-smart-devices-dumb-defaults/#more-33751)

– Refrigerators (http://thehackernews.com/2014/01/100000-refrigerators-and-other-home.html)

63

A Few Hackable Things . . .

• Toys – Hello Barbie (http://www.theguardian.com/technology/2015/nov/26/hackers-can-

hijack-wi-fi-hello-barbie-to-spy-on-your-children)

– Star Wars BB8 (https://www.pentestpartners.com/blog/star-wars-bb-8-iot-toy-awesome-fun-but-can-it-be-turned-to-the-dark-side-with-this-vulnerability/)

– Toy drones (https://www.rt.com/news/hacker-drone-aircraft-parrot-704/)

– Commercial and military drones too (http://www.bbc.com/future/story/20140206-can-drones-be-hacked?ocid=ww.social.link.email)

• Home appliances, such as . . . – HVAC systems – e.g., Trane Thermostat

(http://krebsonsecurity.com/2016/02/iot-reality-smart-devices-dumb-defaults/#more-33751)

– Refrigerators (http://thehackernews.com/2014/01/100000-refrigerators-and-other-home.html)

– “Smart “ toilets (http://www.forbes.com/sites/kashmirhill/2013/08/15/heres-what-it-looks-like-when-a-smart-toilet-gets-hacked-video/#4545f4352b15)

64

Hackable Things That Can Hurt . . . .

• Automobiles – Jeep hack (http://www.wired.com/2015/07/hackers-remotely-kill-jeep-

highway/)

– Driverless cars (http://www.nationaldefensemagazine.org/archive/2015/May/Pages/ResearchersHackIntoDriverlessCarSystemTakeControlofVehicle.aspx)

• Medical devices – Insulin pumps (http://juntoblog.net/medical-device-hacks-when-cyber-risk-

becomes-deadly/)

– Pacemakers (http://www.forbes.com/sites/singularity/2012/12/06/yes-you-can-hack-a-pacemaker-and-other-medical-devices-too/#3a07041e13e0)

– And others (http://null-byte.wonderhowto.com/forum/is-hacking-implanted-medical-devices-next-big-cyber-crime-0149205/)

• Hospitals (https://securityevaluators.com/hospitalhack/securing_hospitals.pdf)

65

Hackable Things That Can Hurt . . .

• Automobiles – Jeep hack (http://www.wired.com/2015/07/hackers-remotely-kill-jeep-

highway/)

66

Hackable Things That Can Hurt . . .

• Automobiles – Jeep hack (http://www.wired.com/2015/07/hackers-remotely-kill-jeep-

highway/) – Driverless cars

(http://www.nationaldefensemagazine.org/archive/2015/May/Pages/ResearchersHackIntoDriverlessCarSystemTakeControlofVehicle.aspx)

67

Hackable Things That Can Hurt . . .

• Automobiles – Jeep hack (http://www.wired.com/2015/07/hackers-remotely-kill-jeep-

highway/) – Driverless cars

(http://www.nationaldefensemagazine.org/archive/2015/May/Pages/ResearchersHackIntoDriverlessCarSystemTakeControlofVehicle.aspx)

• Medical devices – Insulin pumps (http://juntoblog.

net/medical-device-hacks- when-cyber-risk-becomes-deadly/)

68

Hackable Things That Can Hurt . . .

• Automobiles – Jeep hack (http://www.wired.com/2015/07/hackers-remotely-kill-jeep-

highway/) – Driverless cars

(http://www.nationaldefensemagazine.org/archive/2015/May/Pages/ResearchersHackIntoDriverlessCarSystemTakeControlofVehicle.aspx)

• Medical devices – Insulin pumps (http://juntoblog.net/medical-device-hacks-when-cyber-risk-

becomes-deadly/)

– Pacemakers (http://www.forbes.com/sites/singularity/2012/12/06/yes-you-can-hack-a-pacemaker-and-other-medical-devices-too/#3a07041e13e0)

69

Hackable Things That Can Hurt . . .

• Automobiles – Jeep hack (http://www.wired.com/2015/07/hackers-remotely-kill-jeep-

highway/) – Driverless cars

(http://www.nationaldefensemagazine.org/archive/2015/May/Pages/ResearchersHackIntoDriverlessCarSystemTakeControlofVehicle.aspx)

• Medical devices – Insulin pumps (http://juntoblog.net/medical-device-hacks-when-cyber-risk-

becomes-deadly/)

– Pacemakers (http://www.forbes.com/sites/singularity/2012/12/06/yes-you-can-hack-a-pacemaker-and-other-medical-devices-too/#3a07041e13e0)

– And others (http://null-byte.wonderhowto.com/forum/is-hacking-implanted-medical-devices-next-big-cyber-crime-0149205/)

70

Hackable Things That Can Hurt . . .

• Automobiles – Jeep hack (http://www.wired.com/2015/07/hackers-remotely-kill-

jeep-highway/) – Driverless cars

(http://www.nationaldefensemagazine.org/archive/2015/May/Pages/ResearchersHackIntoDriverlessCarSystemTakeControlofVehicle.aspx)

• Medical devices – Insulin pumps (http://juntoblog.net/medical-device-hacks-when-

cyber-risk-becomes-deadly/) – Pacemakers

(http://www.forbes.com/sites/singularity/2012/12/06/yes-you-can-hack-a-pacemaker-and-other-medical-devices-too/#3a07041e13e0)

– And others (http://null-byte.wonderhowto.com/forum/is-hacking-implanted-medical-devices-next-big-cyber-crime-0149205/)

• Hospitals

(https://securityevaluators.com/hospitalhack/securing_hospitals.pdf)

71

. . . and Giant Hackable Things

• Nuclear facilities – e.g., Stuxnet incident (http://www.wired.com/2014/11/countdown-to-zero-day-stuxnet/)

• Industrial plants – e.g., German blast furnace (http://www.bbc.com/news/technology-30575104)

• Transportation networks – e.g., Polish tram system (http://www.telegraph.co.uk/news/worldnews/1575293/Schoolboy-hacks-into-citys-tram-system.html)

• Pipelines – e.g., Turkish pipeline explosion (http://www.bloomberg.com/news/articles/2014-12-10/mysterious-08-turkey-pipeline-blast-opened-new-cyberwar)

• Power grids – e.g., December 2015 Ukraine incident (http://www.homelandsecuritynewswire.com/dr20160216-russian-govt-behind-attack-on-ukraine-power-grid-u-s-officials)

72

. . . and Giant Hackable Things

• Nuclear facilities – e.g., Stuxnet incident (http://www.wired.com/2014/11/countdown-to-zero-day-stuxnet/)

73

. . . and Giant Hackable Things

• Nuclear facilities – e.g., Stuxnet incident (http://www.wired.com/2014/11/countdown-to-zero-day-stuxnet/)

• Industrial plants – e.g., German blast furnace (http://www.bbc.com/news/technology-30575104)

74

. . . and Giant Hackable Things

• Nuclear facilities – e.g., Stuxnet incident (http://www.wired.com/2014/11/countdown-to-zero-day-stuxnet/)

• Industrial plants – e.g., German blast furnace (http://www.bbc.com/news/technology-30575104)

• Transportation networks – e.g., Polish tram system (http://www.telegraph.co.uk/news/worldnews/1575293/Schoolboy-hacks-into-citys-tram-system.html)

75

. . . and Giant Hackable Things

• Nuclear facilities – e.g., Stuxnet incident (http://www.wired.com/2014/11/countdown-to-zero-day-stuxnet/)

• Industrial plants – e.g., German blast furnace (http://www.bbc.com/news/technology-30575104)

• Transportation networks – e.g., Polish tram system (http://www.telegraph.co.uk/news/worldnews/1575293/Schoolboy-hacks-into-citys-tram-system.html)

• Pipelines – e.g., Turkish pipeline explosion (http://www.bloomberg.com/news/articles/2014-12-10/mysterious-08-turkey-pipeline-blast-opened-new-cyberwar)

76

. . . . . and Giant Hackable Things

• Nuclear facilities – e.g., Stuxnet incident (http://www.wired.com/2014/11/countdown-to-zero-day-stuxnet/)

• Industrial plants – e.g., German blast furnace (http://www.bbc.com/news/technology-30575104) • Transportation networks – e.g., Polish tram system

(http://www.telegraph.co.uk/news/worldnews/1575293/Schoolboy-hacks-into-citys-tram-system.html) • Pipelines – e.g., Turkish pipeline explosion (http://www.bloomberg.com/news/articles/2014-12-

10/mysterious-08-turkey-pipeline-blast-opened-new-cyberwar) • Power grids – e.g., December 2015 Ukraine incident

(http://www.homelandsecuritynewswire.com/dr20160216-russian-govt-behind-attack-on-ukraine-power-grid-u-s-officials)

77

Cascading failures:

• Lloyd’s/Cambridge University “Business Blackout” Report (http://www.lloyds.com/news-and-insight/risk-insight/library/society-and-security/business-blackout)

• Lloyd’s/Cambridge University “Business Blackout” Report (http://www.lloyds.com/news-and-insight/risk-insight/library/society-and-security/business-blackout)

78

2016 Assessment Devices designed and fielded

with minimal security requirements and testing, and an ever-increasing complexity of networks could lead to widespread vulnerabilities in civilian infrastructure and U.S. Government systems.

Broader adoption of IoT devices and Artificial Intelligence (AI)—in settings such as public utilities and health care—will only exacerbate these potential effects.

79

2015 Assessment • Despite ever-improving network

defenses, the diverse possibilities for remote hacking intrusions, supply chain operations to insert compromised hardware or software, and malevolent activities by human insiders will hold nearly all ICT systems at risk for years to come.

• …we foresee an ongoing series of low-to-moderate level cyber attacks from a variety of sources over time, which will impose cumulative costs on U.S. economic competitiveness and national security.

80

IoT Devices May Be Inherently Insecure

IoT Devices Can Become Attack Vectors into the Entire Network Security is not built into the architecture and design of the device or

software The IoT device lifecycle is much longer (~ 10 years) than the software in the

devices (~ two years) Vendors may not provide software patching or support the software in the

future IoT devices are being used in ways they were not designed for or with other

technologies that create security risks

Thomson © 2016 81

• NIST Cyber-Physical Systems, http://www.nist.gov/cps/ • NIST Cybersecurity Framework (2014),

http://www.nist.gov/cyberframework/ • Energy Information Sharing and Analysis Center (ISAC) • Cybersecurity Procurement Language for Energy Delivery Systems • Center for Internet Security, 20 Critical Security Controls for Effective

Cyber Defense (2015), http://www.cisecurity.org/critical-controls/

Resources

82

FREE TO THOSE WHO JOIN SCITECH: These 2013 issues (100 pages) of The SciTech Lawyer, the quarterly magazine oSection of Science & Technology Law, are the culmination of SciTech’s year-long exploration of the mobile transformation. We continue to explore this continually evolving area.

Check out other SciTech books www.ambar.org/scitechbooks.

83

The Data Breach and Encryption Handbook provides a road map through the requirements of the state data breach laws and HITECH, analyzes the security failures of the major data breaches, and demystifies encryption for businesses, IT professionals, and lawyers. Check out other helpful SciTech books at www.ambar.org/scitechbooks.

84

Stephen S. Wu Silicon Valley Law Group (www.svlg.com)

ssw@svlg.com

Autonomous Vehicles, Drones, and Robots Compliance, Liability, and Information Governance

85

Overview

• Autonomous Vehicles and Drones in the News • Compliance • Liability • Information Governance

– Privacy – Security

86

Autonomous Vehicles

87

Drones in the News

88

Ground and Sea Drones

Neighborhood delivery Maritime applications

89

Compliance

90

AV Regulation/Influence

Regulation • International—Geneva and

Vienna Conventions • Federal (DOT, NHTSA)—

FMVSS, recall authority • State (DMVs)—vehicle

codes • Local—ordinances regarding

traffic control

Non-Governmental Entities • Insurers—underwriting

practices (driver+prod liab) • Private plaintiffs • Standards bodies • Trade groups

91

State automated driving laws

Source: Gabriel Weiner and Bryant Walker Smith, newlypossible.org

92

Regulation of Drones

• Federal Aviation Act of 1958 – regulation of navigable airspace

• How the Federal Aviation Administration regulates

• Different uses of drones • FAA Modernization and Reform Act of 2012 • Certificates of Authorization or Waiver (COAs) • NTIA privacy best practices

93

Liability

94

$4 Billion Plus Liabilities

95

Potential Parties

• Raw Materials Seller • Component Part Manufacturer • Manufacturer of Finished Product • Distributor • Retailer • Aftermarket Product Seller • Service Company • Owners • Government

96

Potential Parties

• Software Developer • Big Data Service Provider • Cloud Hosting Vendor • Infrastructure Service Provider • Security Technology Vendor • Managed Security Service Provider

97

Possible Causes of Action

• Strict Liability • Negligence • Warranty (Express or Implied) • Fraud • Statutory Claims

– Unfair or Deceptive Trade Practices – False Advertising

• Security or Privacy Breach

98

Information Governance

99

Pervasive Data Collection

100

Lesley Stahl Driving

101

Voluntary Best Practices for Drone Privacy

• Inform others • Minimize data collection • Limit use and sharing • Secure collected data • Monitor and comply with applicable law From: NTIA Best Practices for UAS Privacy, Transparency, and Accountability, May 18, 2016

102

Drone Vulnerabilities

103

A The Larger Picture

Pervasive Computing

Social networks

Mobile computing

Big Data

Internet of Things Cloud

Computing

Augmented & Virtual Reality

Artificial Intelligence & Robotics

3D Printing & JIT

Manufacturing

Privacy & Security

Technologies

Wearable computers

104

Takeaways

105

FAST FORWARD Join us for two new Fast Forward webinars in the 2016-2017 bar year: Fast Forward: Hot Science Law Topics Fast Forward: Hot Technology Law Topics FREE for SciTech members Designed to get you up to speed on the latest science and technology law developments Brought to you by SciTech’s Membership and Diversity Committee Find out more at ambar.org/scitech

106