Cyber attacks now reach a broad range of connected devices, ranging from connected toys, fitness trackers, home alarm systems, cars and medical devices to connected manufacturing and infrastructure. Attacks on this broad range of connected devices—often referred to as the Internet of Things—can raise distinct issues from incidents involving enterprise systems. Below, we highlight five key features of responses to attacks on connected devices.

High stakes of incidents. Attacks on connected devices may result in the loss of sensitive personal information or of commercially valuable information. But the gateway to the physical world offered by connected devices also introduces safety risks that are not typically present in cybersecurity incidents involving enterprise systems. A connected car could be manipulated on the highway, for example, or a medical device could be remotely tampered with so that it delivers an incorrect dosage. These potential outcomes can reorder priorities and alter approaches significantly—changing an incident's focus from what data was compromised to whether there is a risk of physical harm.

Different stakeholders. The different priorities that can be put into play by attacks on connected devices can demand the participation of a different group of stakeholders in the incident response team. Groups responsible for product quality, safety, and research and development may take prominent roles, despite often having no role under the enterprise incident response plan. This, in turn, can require the integration of established processes—and cultures—of these different groups to ensure that the combined team works effectively and collaboratively. Likewise, different external resources, including forensics teams that are expert in embedded systems, may be better suited to support the response to attacks on connected devices.

Technical challenges throughout the response process. Many incident response teams have become accustomed to a fairly robust set of technical capabilities that facilitate the response process. These technical capabilities may be replaced by challenges in responding to connected device incidents. For example, many connected devices do not support sophisticated intrusion detection or logging, making the detection and investigation of an incident very difficult. Other connected devices do not support remote patching, making remediation challenging and costly.

Practical challenges. Incident response teams may face numerous practical challenges in responding to an attack on connected devices. It may be very difficult to reach customers to inform them about a necessary patch, for example. It may not be possible to update manufacturing systems without the risk of changing their performance of critical and highly calibrated functions. Relevant suppliers may lack the necessary capabilities to support the response to an incident or may have stopped supporting a particular device, in part because relevant contracts did not contemplate such support. Moreover, the cost to fix the problem may be greater than the replacement value of a product, particularly for less sophisticated connected devices.

Different regulatory and litigation risks.Connected device cybersecurity incidents can give rise to the regulatory and litigation risks associated with a traditional data breach, as well as the regulatory and litigation risks associated with physical safety. In the United States, for example, regulators such as the FDA, NHTSA, and the Consumer Product Safety Commission likely will have a significant interest in the response to an attack on connected products, and the agencies responsible for critical infrastructure will be keenly interested in attacks on manufacturing or infrastructure. Moreover, litigation risks may reach beyond concerns about the potential harm associated with the loss of personal data to physical injuries that are the province of product liability or mass tort litigation.

These distinctive features of attacks on connected devices place equivalent, distinctive pressures on the incident response team. As with other incidents, preparation can be critical, with experience handling these complex incidents helping companies refine their approaches appropriately over time.

Visit us at mayerbrown.com

Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the "Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe – Brussels LLP, both limited liability partnerships established in Illinois USA; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales number OC 303359); Mayer Brown, a SELAS established in France; Mayer Brown JSM, a Hong Kong partnership and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.

© Copyright 2019. The Mayer Brown Practices. All rights reserved.

This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.