Q: What do Sourcing@MorganLewis and the Federal Trade Commission (FTC) have in common?
A: We’ve both been talking about the Internet of Things (IoT).
The FTC recently detailed potential industrywide risks with respect to the IoT and the FTC’s recommended approaches to address these risks in its staff report, Internet of Things: Privacy & Security in a Connected World. As our loyal readers may recall, we at Sourcing also recently spent some time discussing the IoT (see our previous IoT entries for a brief introduction to the IoT and a discussion of vehicle-to-vehicle communications). Today we will review the contents of the FTC report to provide summary takeaways for those involved in this developing industry.
What Risks Are Presented by IoT Use?
Much of the FTC report summarizes the positions of participants from a November 2013 FTC-hosted workshop on the IoT, including academics, consumer advocates, and representatives from government and industry. The scope of the workshop and the report was limited to IoT devices sold to or used by consumers and did not extend to business-to-business or other commercial machine-to-machine communications. The FTC describes various security and privacy risks concerning the IoT through these workshop summaries in the report.
The FTC noted various security risks to consumers of IoT devices, including the following:
- IoT devices could enable unauthorized access or misuse of personal information collected, stored, or transmitted.
- IoT devices could facilitate attacks on consumers’ networks to which the device is connected or other systems used in connection with the device.
- IoT devices could create physical safety risks to consumers, such as through unauthorized access to medical devices (e.g., insulin pumps) or to IoT-enabled vehicles.
The FTC also noted various privacy risks to consumers of IoT devices, including similar risks to those presented by traditional online and mobile commerce as a result of collecting sensitive personal information. Additionally, the FTC noted more novel risks arising from the collection of “personal information, habits, location and physical conditions over time,” which may allow a company to infer sensitive personal information that it has not directly collected.
FTC Recommendations to Address IoT Risks
Although the FTC and panel participants acknowledged the risks involved with the IoT, they were largely aligned on the numerous, and potentially revolutionary, benefits offered by the IoT. To minimize those risks without stifling the industry, the FTC outlined its recommended best practices for companies in the IoT space:
- Data Security: FTC recommendations included “security by design” for IoT devices, beginning with the initial product design at the outset of the product development cycle; implementing “reasonable access control measures” to reduce the likelihood of an unauthorized person accessing a consumer’s device, data, or network; implementing a “defense-in-depth” approach to data security for high-risk IoT systems, which considers security measures at various levels of the IoT systems; and continuing to monitor and implement patches for IoT devices throughout the product lifecycle.
- Data Minimization: Data minimization in the IoT space requires a balancing of companies’ need for flexibility to innovate using data obtained through the IoT and consumers’ need to limit the security and privacy risks described above. The FTC recommends that companies “develop policies and practices that impose reasonable limits on the collection and retention of consumer data” in light of their overall data practices and business needs, but stops short of providing recommendations as to the scope of data collected or duration for the retention of data.
- Notice and Choice: The FTC acknowledged that traditional methods of providing consumers with notice and opportunity to choose regarding data collection may be less useful in situations that involve the IoT and that not every data collection practice should require notice and choice. However, in many situations, especially where data collection practices are inconsistent with typical consumer expectations of the type of data collected and manner of data use for the specific IoT devices, the FTC recommends notice and choice procedures. Recommended methods of notice and choice include opt-ins to privacy policies at a device’s point of sale, quick response codes placed on IoT devices that link to privacy policies and notice and choices provided to consumers during set-up wizards or other device-initiation processes.
- Legislation: The FTC reiterated its previous assertions to lawmakers requesting “strong, flexible, and technology-neutral” legislation to strengthen the FTC’s data security enforcement mechanisms and require notification to consumers of security breaches, but did not recommend legislation that specifically targets the IoT industry.
The FTC report provides a useful roadmap to risks involved with the development and use of IoT devices and how members of the IoT industry may address these risks. At the same time, the report acknowledges the expected growth and the resulting uncertainty as to the best approach to regulation for the industry. Keep a lookout for future posts on additional developments related to the IoT.