June 27, 2017

June 27, 2017

Subscribe to Latest Legal News and Analysis

June 26, 2017

Subscribe to Latest Legal News and Analysis

Staying Ahead of Privacy and Security Risks in Internet of Things

This article originally was published by IPWatchdog.com.

We are creating an entirely new ecosystem based in technology rather than in biology—the Internet of Things (“IOT”) ecosystem—and it’s growing fast.  Companies are selling IOT devices or mobile apps that interact with IOT devices; some have always been in the technology space, while others are new to it. 

Furthermore, consumers are growing more and more dependent on these devices that connect them to the world.  With an increasing dependence on IOT devices, the information they gather about us (so-called “Big Data”) becomes an attractive target for cyber criminals.  The lightning pace of technological development causes security measures to go quickly out-of-date.  Sometimes, customers may retain IOT devices with that out-of-date software, or simply fail to update with the latest patches. 

So how should we combat these security risks?  Looking to regulatory guidance and enforcement in the past few years, companies should:

  1. Consider and implement reasonable privacy and security practices and accurately communicate them to consumers

  2. Re-evaluate those practices as needed, and

  3. Commit to their privacy and security practices or risk regulatory action. 

The IOT ecosystem presents magnified challenges in privacy and security because of the amount of consumer information collected.  To prevent excessive new regulation, promote consumer confidence, and avoid costly litigation, IOT companies can and should work to stay ahead of potential cybersecurity threats and comply with current regulatory policies, which are still in their infancy as applied to IOT devices.  Several federal regulatory agencies suggested that IOT companies should be thinking about data privacy and security risks, including those related to out-of-date products.  For example, the FTC has published guidance including Internet of Things: Privacy & Security in a Connected World, Careful Connections: Building Security in the Internet of Things and Start with Security: A Guide for Business.  The FTC does not mandate specific security requirements, but currently recommends companies employ practices to protect customers, both during the device’s life cycle and after.  The Department of Homeland Security has suggested that IOT companies develop an “end-of-life” strategy for IOT products, considering product sunset issues, managing manufacturer and consumer expectations regarding IOT devices, and communicating the risks of using devices past their usability date.  (Strategic Principles for Security the Internet of Things (IoT), U.S. Dep’t of Homeland Sec., at 8; Nov. 15, 2016).

Privacy and security begins before a product hits the market and continues throughout the product’s life cycle, and maybe beyond, according to the FTC.  IOT devices collect and store certain information, and IOT companies should consider, how, where, and for how long that information will be stored.  Companies should also think of their products not in isolation, but as part of the IOT ecosystem, unless a company designs mechanisms to keep its products from interacting with others (such as authentication).  Security in the IOT space is “not a one-and-done proposition.”  (Careful Connections, at 6; see also Start with Security, at 12).  IOT companies must re-evaluate security and consider how updates will be implemented.  IOT companies can close gaps in data privacy and security by communicating to customers the scope of the IOT device’s life cycle, the role the IOT company will play throughout that life cycle, and customer responsibilities (such as installing patches).  Further, without a method for erasing the collected and stored information, it will be maintained there, perhaps forever, regardless of whether the IOT device is still maintained with best security practices.  For example, companies should consider whether the IOT device will automatically update or whether to rely on consumers to download software updates, which require certain technical aptitude.  In the end, each data privacy and security plan will be unique to the product and company resources.

In creating a privacy and security plan, IOT companies should be mindful of regulatory enforcement for failure to fully comply with their own advertised practices.  For example, companies should honor representations made to consumers regarding privacy and security practices, or risk regulatory scrutiny.  If not, the FTC may bring an enforcement action, which it did against IOT company, TRENDnet, Inc.  According to the FTC, TRENDnet failed to implement reasonable security practices, monitor security vulnerability reports from third parties, test and review potential security vulnerabilities, and implement reasonable guidance for its employees, and thus was in violation of Section 5(a) of the FTC Act, 15 U.S.C. § 45(a).  The case settled, and the terms of the settlement prohibited TRENDnet from misrepresenting its privacy and security practices and required it to establish a comprehensive security risk program. 

2017 looks to bring more IOT devices to consumers and more mobile apps connecting consumers to IOT devices.  The FTC has opened 2017 by filing a complaint against computer networking equipment manufacturer, D-Link Corp., alleging D-Link’s routers and internet cameras have inadequate security measures that place consumers’ privacy and security at risk. 

Looking at the FTC’s track record thus far, it appears that regulators are worried about the existence of data privacy and security procedures, the adequacy of such procedures, and the accuracy of any representations regarding such procedures.  As government regulators look to actively protect consumers from data privacy and security concerns, companies can stay ahead of cybersecurity threats by implementing reasonable privacy and security practices, re-evaluate as needed, and accurately communicate any privacy and security practices to their customers.

Copyright © 2017 Womble Carlyle Sandridge & Rice, PLLC. All Rights Reserved.

TRENDING LEGAL ANALYSIS


About this Author

Taylor Ey, Intellectual property attorney, Womble Carlyle, Law Firm
Associate

Taylor is an associate in the Intellectual Property Practice Group in Womble Carlyle’s Research Triangle Park Office.

Education

J.D. | 2016 | Wake Forest University School of Law | cum laude | Notes and Comments Editor, Wake Forest Law Review, 2015-2016 | Teaching Assistant, Legal Analysis, Writing and Research I & II, Writing for Judicial Chambers

M.S. |2012 | The Ohio State University | Biomedical Engineering

B.S. | 2011 | The Ohio State University | Biomedical Engineering | Minor, Life Sciences | cum laude

919-484-2306