The Internet of Things (IoT) is disrupting just about every industry. But it may get disrupted itself as the nation\u2019s legal and regulatory system slowly catches up with the massive security and privacy risks it creates.\n\nNot anytime soon, however. \u201cWork in progress\u201d was the operative phrase at a panel session at this week\u2019s RSA conference titled, \u201cFlaming toasters to crashing cars \u2013 the Internet of Things and mass liability.\u201d\n\nMost of the problem with establishing legal liability surrounding the IoT is that while its growth is regularly called \u201cexplosive,\u201d there is a lot more, and bigger, exploding yet to come.\n\nThe number of connected things is expected to expand so exponentially that one of the panelists, Jay Brudz, an attorney at Drinker Biddle & Reath, declared that \u201cInternet of Things\u201d is already a \u201cdumb phrase. In years to come, it\u2019s going to be everything but computers with a human interface, so it\u2019s just going to be the Internet,\u201d he said.\n\nAnother panelist, Eric Hibbard, CTO for security and privacy at Hitachi Data Systems, agreed that the IoT, as vast as it appears, is \u201cstill in the early days. NIST (National Institute of Standards and Technology) has some materials on this, but the broader set is a work in progress.\u201d\n\nThat does not mean nothing is happening. Nithan Sannappa, a privacy and data security attorney at the Federal Trade Commission (FTC), said the agency is interested in IoT consumer products or services, and has brought about 50 cases against various companies, mostly focused on the, \u201cinadequacy of the company\u2019s network.\u201d\n\nSannappa was the lead attorney on the recent settlement between the FTC and ASUSTek Computer over flaws in its consumer routers.\n\nWhile the company had promised that customers could, "safely secure and access your treasured data through your router,\u201d the FTC found that, \u201chackers used easily accessible tools to locate and exploit (them), gaining access to more than 12,900 consumers' storage devices.\u201d\n\nThe FTC\u2019s authority comes under its role in sanctioning companies that demonstrate, \u201cunfair and deceptive\u201d business practices.\n\nBut the FTC settlements so far haven\u2019t included any heavy financial penalties \u2013 in most cases the companies agree to improve their security and to submit to audits. If they violate the terms of the agreement, they can then be subject to fines.\n\nAnd while that may send a signal to other manufacturers about not promising what they are not delivering, Hibbard and Brudz both said in the rush to get connected devices to the market, security remains an afterthought.\n\n\u201cThe business model is to launch them and then fix them later,\u201d Brudz said.\n\nHibbard said this will become a bigger problem since the IoT amounts to \u201cthe building blocks of our future environment. The problem is that we\u2019re only thinking three years ahead when we should be thinking 30 years ahead. It\u2019s like our highway system \u2013 it would be better if we could completely rebuild our roads, but we can\u2019t. We can only patch them.\u201d\n\nAnother problem is that most devices are not easily updated, so when vulnerabilities are discovered, they remain. \u201cSome of them are embedded in your wall,\u201d Hibbard said. \u201cThey\u2019re not designed to let you get access.\u201d\n\nAnd yet another problem affecting legal liability is what Hibbard called, \u201ca mashup of devices \u2013 a half-dozen different devices put together in ways they were never designed to be in the first place.\u201d\n\n[ ALSO ON CSO: Security and the Internet of Things \u2013 are we repeating history? ]\n\nThose components could be in things ranging from bridges to traffic signals to cars. \u201cFrom a legal perspective, it opens up interesting areas,\u201d he said. \u201dIf something bad happens, which component made the poor decision that caused the harm?\u201d\n\nBrudz said the legal system also has yet to sort out who is responsible for damages in the case of a breach. In the case of ASUS routers, \u201cis the fault with the guy who made the router, or the guy who stole the information (from customers)?\u201d he asked. \u201cIf somebody breaks into your house, can you sue the guy who made the lock?\u201d\n\nWhat makes it even more complicated is that many attackers are in different countries, far from the reach of American law enforcement or the courts.\n\nSannappa said some of the biggest names in the private sector, like Apple, Google and Samsung, may help to set overall IoT security standards. \u201cThere is a possibility where we could have larger ecosystems, industry leaders, setting up a way for smaller players to have guidance.\n\n\u201cThen regulators can say, this is what you were supposed to be doing and weren\u2019t,\u201d he said.\n\nBut there was general agreement that the process will take time. \u201cWe may be looking three to four years out before standards start arriving,\u201d Hibbard said. \u201cAnd I think it is going to be the legal community that is going to weigh in on it.\n\n\u201cIt\u2019s going to be a wake-up call to manufacturers and developers to do something about their house of cards,\u201d he said.