The concept of the "Internet of Things" (IOT) is now well established in a consumer context. Prior to COVID-19, many industrial companies were already on considering various Industrial IOT (IIOT) use cases. COVID-19's widespread disruption to companies operating in the sector confirmed the strategic need to embrace digital tech and automation. There are key legal issues to consider on data, service performance and cybersecurity when commencing an IIOT project.
The application of IIOT is undoubtedly providing new and unique ways for IMT companies to enhance processes and provide more intelligent and efficient services. However, the use of these technologies is not without risk. To mitigate this risk as far as possible and to maximise the benefits, customers seeking to use such technologies need to:
- diligence the opportunity thoroughly to ensure that the risks of an IIOT project are properly understood before work starts;
- ensure their contracts with technology providers provide an appropriate level of protection, both as to IP or contractual rights in the input and output data and related materials and regarding the proper functioning and performance of the IIOT solution; and
- consider in detail the cybersecurity implications of the deployment of the solution and take appropriate legal and operational steps to mitigate the risks.
In the industrials sector, driving operational efficiencies through tactical technology deployment and integration has become a key strategic focus. Continued scrutiny on safety, regulatory compliance and environmental concerns means that there is an increasing drive to optimise equipment and systems and for IMT companies to be proactive, not reactive in order to mitigate operational and legal risks. Using digital technologies to improve the customer experience is also a strategic imperative. Tech is driving new business models, with many businesses facing the choice of competing with, or collaborating or investing in, tech companies.
One of the key digital trends in the sector has been dubbed Industry 4.0. The concept of the "Internet of Things (IOT)" (connected devices which are able to send and receive data) is now well established in a consumer context. Products such as connected cars, smart speakers for use in the home and smart meters have become mainstream. This trend has been mirrored in the industry as highlighted in Baker McKenzie's Back to the Future campaign, effectively taking the same principles and using them to create connected products that support industrial or manufacturing processes ("Industrial IOT" (IIOT)).
Prior to COVID-19, many industrial companies were already on this IIOT journey. However, the COVID-19 crisis which has caused widespread disruption to companies operating in the industrials sector has certainly confirmed the strategic need for companies to embrace tech and the use of automation and digital technology. Not only has technology helped IMT companies' resilience through the crisis, they are also focused on how accelerating their move to digital could help them with recovery (e.g. by introducing more process efficiencies and reducing costs), and/or help them renew or diversify their offerings and emerge stronger and more able to adapt to a 'new normal'.
Examples of the use of smart technology in the IMT sector include:
- Collection of performance or diagnostic data on internal processes so that companies can operate more efficiently and can offer tailored propositions to their customer base.
- Process digitalization, resulting in a move away from paper based processes and towards real-time sharing of information.
- Use of smart meters, GPS trackers and similar technologies in industrial processes to create efficiencies and improve record keeping to support audit and inspection regimes.
- Use of automation and remote operations to improve safety and decrease the risk of industrial accidents or decrease the need for employees to work onsite.
- Enabling field or assembly line personnel to easily submit information on job progress and access the data they need to make sound decisions.
- Incorporating connected devices into supply chain strategy in order to exchange real-time data between relevant supply chain participants and enable smoother day-to-day operations, reduce operational costs and increase overall agility and ability to be competitive.
- Installing connectivity kits on machinery to allow for remote monitoring, data collection and predictive maintenance.
- Workforce tracking tools to ensure safety at work (including post Covid-19 so that employees can return to work while maintaining physical distancing measures).
The legal mechanics
There are some key legal issues to consider when commencing an IIOT project. These include considerations in terms of data, service performance and cybersecurity.
Data ownership and exploitation
IIOT is all about the collection and use of data. Where the data involves information relating to an individual (e.g. an employee) data privacy laws will apply. However, in the IIOT context, much of the data won't be personal data, but data relating to a company's industrial systems or processes. IMT companies will be keen to protect and maximise the value in that data. In many legal regimes around the world there are no specific intellectual property rights that attach to data. Accordingly, when IMT companies are engaging with third parties on IIOT projects (e.g. a solution or service provider) they will need to clearly specify in the contract the ownership and usage rights in any data collected and processed by the solution or services.
Part of the discussion between parties will inevitably focus on data aggregation. Providers will generally want the flexibility to aggregate data collected from multiple customers to develop and enhance their solutions and services and create new offerings. However, customers may be reluctant to allow solution providers to aggregate data and derive value from what they consider to be their valuable information. While these are ultimately commercial decisions, the agreed positions will need to be explicitly set out in the contract so that the parties ownership and licence rights around use of the data (and any derived data) are clear.
Typically, a company's decision to invest in an IIOT solution will be driven, at least in part, by a desire to create a process efficiency or to realise a cost saving. For example, introducing IIOT may be accompanied by a workforce reduction as manual processes are replaced by automation.
Often the investment is made in order to enhance processes that are fundamental to the company's core business operations, e.g. if a manufacturer of industrial components implements an IIOT solution to automate parts of its assembly line, or to ensure that there is a contingency or level of business continuity available if the traditional way of working is affected in some unforeseen way.
Accordingly, it is clearly important that the deployed IIOT solution operates efficiently and with a minimal amount of downtime. If it doesn't, then it could affect the ability of an organisation to operate efficiently, as significant workaround costs may be incurred each time an incident arises. Or it might affect the customer's ability to run its business at all - in an extreme case.
Therefore, it's vital to conduct thorough due diligence on the solution from a technical perspective prior to implementation, plus ensure that the contract for the supply of the solution provides appropriate protection in the event of failure. Three areas are of particular importance:
- service description - it will be key to ensure that there is a reasonably detailed description of the solution / services which sets out what the supplier is contracted to do for the fees. If the description is not sufficiently detailed, or is ambiguous, this has the potential to lead to disputes between the parties if the solution does not operate as expected. Of special note here is the description of any maintenance services that the supplier agrees to provide and a description of any required interfaces or connectivity with other systems.
- SLAs - some performance metric(s) for the solution will be required. These metrics could take different forms depending on the company's requirements, such as an availability or uptime commitment, a quality or accuracy commitment, and/or a commitment about how long it takes to complete certain tasks (either on a per task basis or on average).
- remedies - in addition to imposing service credits where SLAs have been breached, particular care will be needed when considering the drafting of liability caps and exclusions under the contract. Customers may insist on certain types of cost being recoverable (e.g. for lost profits caused by a complete shutdown of the solution). Suppliers will likely have a different view of how liability should be allocated between the parties.
Although the use of IIOT presents an opportunity to streamline or improve processes, it also comes with some disadvantages. One key disadvantage is that IIOT solutions often require multiple devices to be connected to a network, thereby leaving a large attack surface which a malicious actor may look to exploit. As well as having the potential to interfere with the operation of the IIOT system itself, an exploit of a vulnerability in the IIOT solution may cause broader problems depending on how the system is configured and connected with other systems operated by the company.
It is strongly in the customer's interests to ensure that processes are put in place to prevent unauthorised persons from gaining access to data collected or remotely accessing or disrupting the IIOT solution or other customer systems. To assist with this, a focus on security should be a significant component of its due diligence, including fully understanding what data will be used and where it will be stored. Detailed security testing should be conducted throughout implementation and on an ongoing basis while the IIOT solution is operational to verify the information obtained as part of the due diligence and to check that the solution is capable of addressing evolving security threats (especially where the solution is intended to fulfil a long term organisational need).
There should also be some thought put to the technical and organisational security measures to be applied to the system and how these should be described contractually and operationalised. These may include encryption of data at rest and in transit, introducing strict obligations on the supplier for security upgrades and patching, implementing appropriate firewalls, access controls and logging/monitoring. Given the increased threat of attack that would result from the use of IIOT solutions, the company will need to consider incident response plans when deploying the IIOT solution. In particular it will be helpful to ensure that more sensitive parts of the corporate network are segregated from the IIOT network, and that other appropriate intrusion prevention and detection measures are implemented.