Interconnected Devices and Products Liability

We have occasionally discussed on this site (as recently as this week…) the implications of interconnected devices and the Internet of Things.

Here is an article that asks “should cyber-security vulnerabilities really be treated the same as design defects under traditional products liability law?”

The specific context is an infusion pump system that the Federal Drug Administration in the US thought was insecure and sent a warning about – a warning that sounded like a ‘defective product’ warning. The article raises a number of concerns about thinking about a security defect like another defect, including many complications about who might be liable: the manufacturer, the seller, the health care provider, the telecommunications service provider, etc etc.

On the other hand, having a multitude of potential defendants is not a definitive argument against the imposition of liability on some or even all, suitably apportioned.

It would usually be very difficult just to identify who did the attacking that caused the harm that gave rise to the liability. Moreover:

the average patient is generally not a target. And, as a whole, it’s probably safe to say that the sick and infirm are not a top-priority population for this kind of terroristic activity. So, other than imposing some basic government-issued standards for user-authentication and firewalls on all networked medical devices, would the benefits of heightened security measures beyond that really justify the costs?

As I understand the article, “the costs” here means of imposing, or trying to avoid, civil liability.

Do you agree that product liability is not a good road to go down for cybersecurity matters? Are health care products different for any reason? This article does not talk about cars or thermostats…

Would Canadian law lead to different places? Should it?