May 22, 2019

May 22, 2019

Subscribe to Latest Legal News and Analysis

May 21, 2019

Subscribe to Latest Legal News and Analysis

May 20, 2019

Subscribe to Latest Legal News and Analysis

Commitment to Protection of User Data Essential To Consumer Adoption of IoT Devices – Three Things to Know about the New Hampshire Amazon Echo Case

Recently, Amazon refused (registration required) to provide data from an Amazon Echo device in a case involving the a double homicide in response to an order issued by a New Hampshire state judge.  Prosecutors believe that the Echo may have recorded data relevant to the crime; a potential perpetrator has already been charged.  Per a statement released November 20th, Amazon has stated that it “it “will not release customer information without a valid and binding legal demand properly served on us.”   New Hampshire does not provide electronic access to court records, so it is not known as of this post whether Amazon has been served with the court order and complied.  The order was signed by Justice Steven Houran on November 5. 

As we have discussed, CA recently passed legislation requiring manufacturers of connected devices, often referred to as Internet of Things (“IoT”) devices, to equip these devices with reasonable security feature(s) that are “appropriate to the nature and function of the device, appropriate to the information it may collect, contain, or transmit, [and] designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.”  California’s legislature has apparently recognized that providing security for these devices needs to be a priority to protect consumers. 

Companies such as Amazon depend on consumers being willing to purchase and allow IoT devices such as Amazon’s Echo into their homes and their lives.  Consumers, in the aggregate, will likely only be willing to allow these devices into their homes if they trust that the company behind the device will provide protection their data that they feel comfortable with. 

Companies that wish to build and maintain this trust with consumers will need to ensure that they go beyond the barebones legal requirements and convince consumers through their corporate actions that they take privacy and data protection seriously.  This will involve implementing a comprehensive privacy and data security program that includes at least the three parts below.   

  1. Posting and Complying with Their Own Privacy Policy the IoT Device

Privacy policies are required in many cases where devices collect personally identifiable information, including under California law.  However, beyond the obvious legal implications of posting and complying with your own privacy policy, consumers may be less likely to use IoT devices from companies that have a demonstrable record of not living up to their own privacy commitments. 

  1. Provide Appropriate Security for the IoT Device

As outlined above, appropriate security for the IoT Device will be a legal requirement under California law.  Even so, device companies that are serious about large-scale adoption need to think beyond just the risk of legal enforcement.  How likely are consumers to introduce an IoT device that has access to their sensitive data, and could, for example, record audio or video of their daily activities, if they feel company is not serious about providing security measures to prevent unauthorized access? 

  1. Protecting Data Collected by the IoT Device Against Improper Use Or Request By Third Parties

This requirement goes beyond complying with a posted privacy policy or providing reasonable technological security measures – when push comes to shove, is the company providing sensitive data collected by the IoT device to third parties in ways that would concern consumers?  Here, Amazon is objecting to an order that it does not consider to be a “valid and binding legal demand” to turn over user data.  Whether that is legally sound, is not a point of examination for this post.  Consumers will want the security of knowing that not only will an entity comply with its own policies and provide reasonable technical security – the entity will not just hand over their sensitive data to third parties when a request is made unless it is required to do so.  By being willing to object to this demand, Amazon is arguably demonstrating that it takes user privacy seriously. 

©1994-2019 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.


About this Author

Cynthia Larose, Privacy, Security, Attorney, Mintz Levin, Law Firm, electronic transactions lawyer

Cynthia is Chair of the firm’s Privacy & Security Practice and a Certified Information Privacy Professional (CIPP).  She represents companies in information, communications, and technology, including e-commerce and other electronic transactions. She counsels clients through all stages of the “corporate lifecycle,” from start-ups through mid- and later-stage financings to IPO, and has broad experience in technology and business law, including online contracting issues, licensing, domain name issues, software development, and complex outsourcing transactions.

Cynthia has extensive...

Brian H. Lam, Mintz Levin, software licensing lawyer, vendor agreements attorney

Brian has extensive experience in patent litigation and intellectual property matters, as well as privacy and data protection matters, particularly as to data aggregation, network security, and technology transactions. Beyond counseling on compliance, incident response, and data privacy and protection, Brian has advised on technology-centric agreements, licensing issues, open source software licensing, vendor agreements, and hosting agreements, and analyzed patent portfolios for potential assertion or freedom to operate. He is a Certified Information Privacy Professional (US Specialization), and Certified Information Systems Security Professional (CISSP), endorsement pending.

Prior to joining Mintz Levin, Brian held associate roles at several California law firms, and spent five months as a Judicial Extern for the Hon. Richard M. Neiter. He also spent time as a network security analyst prior to entering the legal field and is well-versed in computer science and telecommunications. While attending law school, Brian earned the USC Fulton Haight Memorial Scholarship, and American Jurisprudence Awards in Criminal Law, Antitrust, and Advanced Intellectual Property.