Journal of International Technology and Information Management

Document Type



While there is an identifiable trend towards protecting consumers from data breaches and data misuses related to IoT devices through new legislation, new regulations, government enforcement actions, and private lawsuits, there has been little progress towards creating similar legally enforceable standards of care for “cyber-physical device security.” This article explores this underdeveloped area of academic inquiry into cyber-physical device security within the context of product liability litigation in the United States. The two questions addressed in this article are: (1) Have there been any successful products liability court decisions in the United States that have held IoT manufacturers liable for creating IoT products with inadequate cyber-physical device security; and (2) Is it likely that product liability litigation will soon lead to significant change in IoT cyber-physical device security? Analysis of laws, regulations, and court cases shows that the answer to both questions is negative. These findings have implications for IoT device users, device manufacturers, and the government agencies whose job it is to deter data breaches and other IoT-related cyberattacks.