Dennis said some of that is changing, noting that California’s IoT regulation “requires manufacturers of connected devices to utilize ‘reasonable’ measures to ensure that the systems they build have adequate security.”
But of course, “reasonable” could mean many different things in different circumstances.
So, as is often the case in industries ranging from automotive to tobacco, legal liability may move the needle more quickly than anything else.
Physical damages from insecure devices could open “various avenues of legal liability,” Chakravarty said, ranging from civil suits brought by injured users, business partners and shareholders to more aggressive sanctions by government to criminal liability.
To avoid that list of potential calamities takes measures that should be fundamental but are a long way from universal. Besides building security into products before they hit the market, companies need to “be transparent in contractual relationships as to what risks are being borne by whom—what are the obligations of each business partner, software provider, hardware manufacturer, network component, and in some cases, what is a user responsibility,” Chakravarty said.
“To limit liability, companies need to show that they take security more seriously than the users of their products do.”
So far, that is still very obviously a long way from reality. But a few major class action lawsuits might change it.