• United States
by Kevin DiLallo, Laura McDonald and Joe Schmidt

IoT providers need to take responsibility for performance

Feb 14, 20194 mins
Internet of ThingsSecurity

To insure the security and privacy of Internet of Things deployments, vendors, service providers and corporate IT practitioners must assume responsibility for the integrity of their IoT networks and the data they handle.

spinning globe smart city iot skyscrapers city scape internet digital transformation
Credit: Getty Images

Last year saw the continued growth of enterprises adopting internet of things solutions, with companies harnessing the power of wireless data collection, analytics and connectivity to enhance productivity and efficiency in ways we could previously not imagine.

Analysts expect corporate spending on IoT in the U.S. to approach $200B in 2019, with global spending exceeding $800B. As adoption has grown, privacy and security advocates have called for regulating IoT to enhance personal privacy and to strengthen the security of IoT devices and services.

Several high-profile data breaches in the past few years were the result of hacks that used unsophisticated, vulnerable IoT devices such as nanny cams to get into secured computer networks. Researchers have even hacked into home computer networks using Wi-Fi connected “smart” IoT lightbulbs as the gateway.

IoT regulation hasn’t happened

Despite the hype and some hearings before Congress and the Federal Trade Commission, no legislation or regulations have been adopted at the federal level to regulate IoT devices or services.  Three bills were introduced in Congress in 2017 – the Cyber Shield Act (which would have made IoT security voluntary); the Internet of Medical Things Resilience Partnership Act (also voluntary, but focused on IoT medical devices); and the Internet of Things Cybersecurity Improvement Act (which would have set product standards for devices sold to the government) – but none of them became law. 

Indeed, lawmakers on both sides of the aisle have advocated taking a hands-off approach to IoT, attributing the rapid growth of the Internet in the ‘90’s to a lack of governmental interference. In our view, that’s a good thing – at least for the moment – because IoT holds so much promise for new innovation and economic opportunity, and because premature regulation could hobble its development. Issues such as security vulnerabilities in unsophisticated sensor/radio devices will undoubtedly be addressed by market forces: purchasers will demand greater security and suppliers will respond accordingly. 

Who’s responsible when IoT fails?

As practitioners who advise clients purchasing IoT devices and service, we believe there is one important issue underlying the IoT that producers and commercial customers must resolve: Who is responsible to end users who may be harmed when an IoT device or transmission service fails or is compromised by a bad actor?

The current industry approach is for providers of IoT equipment and wireless data service to shift that responsibility to their corporate customers, who buy IoT devices and service, repackage them for a variety of consumer and business applications (e.g., health care, security, energy transmission, transportation), and sell them to other businesses or individual consumers.

Although those middleman, value-add solution providers have the direct relationship with the ultimate consumers of IoT devices and services, they are neither the radio manufacturers nor the providers of wireless data service, so they depend upon their suppliers for reliable products and services. In our view, the underlying radio manufacturers and service providers need to assume more responsibility to end users for performance failures. As the market matures, suppliers and users will eventually resolve this issue, though it will almost certainly come at an increased cost for IoT devices and wireless service. 


Companies that purchase IoT devices either for internal operations or for resale to customers should proactively explore what additional security measures they should implement given the vulnerability of IoT devices that are interconnected with their networks.

And companies that use IoT devices to collect personal information, such as health-related information or location information, need to be cognizant of their obligations under Europe’s GDPR and other privacy laws when they handle that personal information.

Kevin DiLallo and Laura McDonald are partners at Levine, Blaszak, Block & Boothby (LB3), a D.C. law firm, and Joe Schmidt is a Project Director at TechCaliber Consulting (TC2). The firms help maximize businesses’ return on investment in information communication technology.