October 19, 2021

Volume XI, Number 292

Advertisement
Advertisement

October 19, 2021

Subscribe to Latest Legal News and Analysis

October 18, 2021

Subscribe to Latest Legal News and Analysis
Advertisement

Commitment to Protection of User Data Essential To Consumer Adoption of IoT Devices – Three Things to Know about the New Hampshire Amazon Echo Case

Recently, Amazon refused (registration required) to provide data from an Amazon Echo device in a case involving the a double homicide in response to an order issued by a New Hampshire state judge.  Prosecutors believe that the Echo may have recorded data relevant to the crime; a potential perpetrator has already been charged.  Per a statement released November 20th, Amazon has stated that it “it “will not release customer information without a valid and binding legal demand properly served on us.”   New Hampshire does not provide electronic access to court records, so it is not known as of this post whether Amazon has been served with the court order and complied.  The order was signed by Justice Steven Houran on November 5. 

As we have discussed, CA recently passed legislation requiring manufacturers of connected devices, often referred to as Internet of Things (“IoT”) devices, to equip these devices with reasonable security feature(s) that are “appropriate to the nature and function of the device, appropriate to the information it may collect, contain, or transmit, [and] designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.”  California’s legislature has apparently recognized that providing security for these devices needs to be a priority to protect consumers. 

Companies such as Amazon depend on consumers being willing to purchase and allow IoT devices such as Amazon’s Echo into their homes and their lives.  Consumers, in the aggregate, will likely only be willing to allow these devices into their homes if they trust that the company behind the device will provide protection their data that they feel comfortable with. 

Companies that wish to build and maintain this trust with consumers will need to ensure that they go beyond the barebones legal requirements and convince consumers through their corporate actions that they take privacy and data protection seriously.  This will involve implementing a comprehensive privacy and data security program that includes at least the three parts below.   

  1. Posting and Complying with Their Own Privacy Policy the IoT Device

Privacy policies are required in many cases where devices collect personally identifiable information, including under California law.  However, beyond the obvious legal implications of posting and complying with your own privacy policy, consumers may be less likely to use IoT devices from companies that have a demonstrable record of not living up to their own privacy commitments. 

  1. Provide Appropriate Security for the IoT Device

As outlined above, appropriate security for the IoT Device will be a legal requirement under California law.  Even so, device companies that are serious about large-scale adoption need to think beyond just the risk of legal enforcement.  How likely are consumers to introduce an IoT device that has access to their sensitive data, and could, for example, record audio or video of their daily activities, if they feel company is not serious about providing security measures to prevent unauthorized access? 

  1. Protecting Data Collected by the IoT Device Against Improper Use Or Request By Third Parties

This requirement goes beyond complying with a posted privacy policy or providing reasonable technological security measures – when push comes to shove, is the company providing sensitive data collected by the IoT device to third parties in ways that would concern consumers?  Here, Amazon is objecting to an order that it does not consider to be a “valid and binding legal demand” to turn over user data.  Whether that is legally sound, is not a point of examination for this post.  Consumers will want the security of knowing that not only will an entity comply with its own policies and provide reasonable technical security – the entity will not just hand over their sensitive data to third parties when a request is made unless it is required to do so.  By being willing to object to this demand, Amazon is arguably demonstrating that it takes user privacy seriously. 

©1994-2021 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.National Law Review, Volume VIII, Number 340
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Cynthia Larose, Privacy, Security, Attorney, Mintz Levin, Law Firm, electronic transactions lawyer
Member / Chair, Privacy & Cybersecurity Practice

Cynthia is a highly regarded authority in the privacy and security field and a Certified Information Privacy Professional (CIPP). She handles the full range of data security issues for companies of all sizes, from start-ups to major corporations. Cynthia is masterful at conducting privacy audits; crafting procedures to protect data; advising clients on state, federal, and international laws and regulations on information use and data security; helping organizations respond to breaches; and planning data transfers associated with corporate transactions. She is an in-...

617-348-1732
Brian H. Lam, Mintz Levin, software licensing lawyer, vendor agreements attorney
Associate

Brian Lam is a member of Mintz’s Privacy & Security Practice and Technology Transactions Practice. Brian focuses his practice on providing practical advice that enables companies to pursue their business in a competitive environment while reducing risk associated with the collection, use, storage, transfer, and potential loss of data. He frequently negotiates complex data-centric information technology agreements, and designs policies and corresponding controls for the implementation of best practices, compliance with state and federal law, and international considerations. He often...

858.314.1583
Advertisement
Advertisement
Advertisement