IT security in the Internet of Things (IoT) presents a new and complex challenge. To produce this security, all stakeholders must shoulder responsibility – the state, providers of hardware and software, services providers, and users. Each of these stakeholder groupings plays a different role and is also responsible in its respective area for creating and maintaining security in the connected world. An appropriate level of IT security can only be achieved collectively. A one-sided assignment of responsibility for IT security or its vulnerabilities is not the appropriate way forward.
IT security risk, causality, and liability – ensuring proportionality for all stakeholders
At the same time, we should be mindful of the fact that there are always residual risks, with IoT being no exception. Liability regimes should not convey the impression that risks in complex IT systems will be excluded on a large scale in the future as, in the context of digitalization, that would lead to a general discrimination against IT in the medium to long term. Particular care should therefore be exercised when it comes to deducing causalities and consequential damages.
We should clarify in advance where liability needs and gaps exist and how we can address them sensibly together – for example, by assigning responsibility to the various stakeholder groupings involved, or through new liability regimes.
General requirements and regulations for liability should be achievable, comprehensible, and proportionate for all – product-specific technical requirements alone are not helpful.
Sector-specific rules must be accorded due consideration. No conflict should be allowed to arise between sector-specific liability provisions and general liability provisions for IT security. The interaction of the various regimes must not lead to responsibility being imposed on a one-sided basis on the IT sector alone.
Multi-stakeholder approach can do justice to the various interests in IT security
eco is of the firm opinion that a multi-stakeholder approach, taking into account the aspects mentioned here, can provide meaningful answers to the open questions regarding liability in connection with IT security and thus do justice to the various interests that need to be taken into account. For us as the largest association of the Internet industry in Europe, it goes without saying that only EU-wide answers would be deemed appropriate.
Norbert Pohlmann is a Member of the Board and Director of IT Security at eco – Association of the Internet Industry. He holds two positions at Westphalian University of Applied Sciences, Gelsenkirchen: Professor of Distributed Systems and Information Security in the field of IT, and Managing Director of the Institute for Internet Security. For five years, he was a member of the "Permanent Stakeholders' Group" of ENISA (European Network and Information Security Agency), the European Community's security agency (www.enisa.europa.eu).