State-Of-The-Art Defense And The Internet Of Things
This article was published in Law360 on August 2, 2016. Written by Judy Okenfuss, a managing partner at Ice Miller.
The number of products connected to the internet is rapidly increasing. Smart homes, autonomous vehicles and clothing that monitor heart rate — all products once just found in science fiction — are now part of the vast array of the internet of things, a rapidly growing network of devices, objects and sensors. Manufacturing no longer means simply producing a product that works; now, products must also compile, analyze and use significant quantities of data in real time.
Every day, companies are finding new ways in which the data generated by the internet of things can be interpreted to improve their products and, more importantly, provide previously unheard of services to consumers. The medical industry is one of the leaders in this field. Insulin pumps, implantable defibrillators and other medical devices send data to health care providers who can immediately implement any changes needed in treatment — all through the internet. The motor vehicle industry is another leader. Driverless cars are now operating on our roadways. Some companies are already operating fleets of autonomous vehicles in which they control the operation of the vehicles, such as path and speed, and, also, monitor vital signs remotely. If a vehicle needs maintenance or repairs, this information can be detected early before breakdowns or accidents occur — thus improving productivity and reliability.
Companies are approaching the internet of things in different ways. Caterpillar Inc. has an Analytics and Innovation Division that is seeking to “transform the mountains of incoming data — from a single machine or engine, an entire job site, the supply chain, a shipping location and much more — into valuable information for our customers and suppliers ... ” Other manufacturers are looking to partner with technology companies. For instance, Komatsu Ltd. and General Electric Co. formed a data partnership to allow Komatsu to use available data to determine the most efficient trucking routes for customers and to improve speed at mining sites. 
As more products become connected to the internet, the question as to how traditional product liability law will address this rapidly expanding group of products must be addressed. One of the first areas that will need to grapple with these changes is the state of the art defense. Different jurisdictions have varying applications of the state of the art defense, from a complete defense in strict liability matters to a factor in evaluating the feasibility of an alternative design to a consideration in determining the reasonableness of a manufacturer’s conduct. In all of these applications, courts generally look to whether a product incorporates “the best technology reasonably feasible at the time the product was designed, manufactured, packaged and labeled.” Similarly, the statutory definitions of state of the art looks to the feasibility of technology: “State of the art means the technical, mechanical and scientific knowledge of manufacturing, designing, testing or labeling the same or similar products that was in existence and reasonably feasible for use at the time of manufacture.” In determining whether the knowledge is available, courts have found that “a manufacturer is held to the knowledge and skill of an expert in the field; it is obliged to keep abreast of any scientific discoveries and is presumed to know the results of all such advances.”
The internet of things will bring new challenges to companies hoping to prove that their products are state of the art. For instance, can an automobile manufacturer claim that its car, which does not incorporate autonomous capabilities but has other safety features, incorporates the best technology reasonably feasible, as required for the state of the art defense? Tesla Motors Inc., Google Inc. and other companies have demonstrated the feasibility of autonomous vehicles. Testing shows reduced accidents for these vehicles. Or, will a manufacturing process without automation controls meet state of the art requirements when the use of interconnected devices allows a company to minimize failure rates?
In answering these questions, an important factor is whether a technology is reasonably feasible. Courts have wrestled with this question when faced with new developing technologies. In Cox v. Ford Motor Co., No. 1 CA-CV 09-0288, (Ariz. Ct. App. Sept. 21, 2010), the court was asked to determine whether a single stage air bag inflator was state of the art in 1995, as claimed by the defendant. In denying summary judgment for the defendant, the court found persuasive that dual stage inflators (the technology which the plaintiff contended should have been used) “were on the shelf ready to be implemented,” even though at the relevant time no cars in the United States had been sold with the dual stage inflator technology. Id. at *5. In Anderson v. Techtronic Industries North America Inc., No: 6:13-cv-1571, (M.D. Fla. Nov. 23, 2015), the court was asked to consider whether a table saw needed to incorporate flesh detection technology. In determining whether such technology was feasible, the court determined that evidence that the technology was not reasonably available and that introduction of this technology would “transform the [table saw] into a much heavier saw costing many times more” was not sufficient to support summary judgment for the manufacturer. Id. at *4. As the internet of things continues to develop, courts will need to consider similar factors when faced with a state of the art defense, especially with regard to products which are not collecting, analyzing and using the available data.
As for the products which are part of this connected network, there will be additional considerations for the courts in considering a state of the art defense. There have been serious vulnerabilities relating to security of data shown in products as diverse as cars and baby monitors. Fiat Chrysler Automobiles NV recalled over a million vehicles where it was shown that vehicles could be taken control of remotely. Reports have been made of strangers hacking into video baby monitors and watching children. Without appropriate protections, devices used in smart homes, such as internet-connected security devices and keyless entries can be hacked and disabled.
As such, any product connected to the internet will also need to demonstrate that it employed state of the art techniques in the protection and handling of data. Although the courts have not yet addressed what might be considered state of the art in this regard, generally, a state-of-the-art system with regards to the data being generated and collected should ensure that data collected will not be misused by unauthorized persons and that product access is limited to authorized users. To reach this goal, a manufacturer cannot simply focus on the design and manufacture of the physical product. Rather, a similar level of attention will need to be given to the infrastructure that manages the data and the protection of the data. Some companies employ privacy by design, which is an approach to protecting privacy by embedding it into the design specifications of technologies, business practices and physical infrastructures. Privacy by design requires the product designers to think about privacy from the outset. Privacy considerations will impact the risk assessment and could have a significant effect on any failure mode effects analysis performed on the product.
Regardless of the manner in which manufacturers approach the issue, factors that may be considered in determining whether a product has incorporated protections that are reasonably and technically feasible at the time of manufacture include, among other factors, whether manufacturers incorporated the latest techniques for encryption of data and authentication of information. The courts may seek confirmation that as part of the design process manufacturers used reasonable information security coding practices, followed peer code review and conducted security assessments. Also, courts may consider whether quality assurance testing includes penetration testing and other security measure testing before release into the stream of commerce. Finally, courts may broaden the responsibilities of manufacturers and for connected devices require monitoring after sale and patching of identified vulnerabilities. Although the specific factors to be considered are not yet known, there is no question that, as the internet of things expands, so does the technology available to manufacturers. As such, it may only be a matter of time until the courts find that the use of interconnected devices, including the collection, analysis and use of the data generated, is reasonably feasible and required for any manufacturer seeking the protections of the state of the art defense.
This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances.