We are creating an entirely new ecosystem based in technology rather than in biology—the Internet of Things (“IOT”) ecosystem—and it’s growing fast. Companies are selling IOT devices or mobile apps that interact with IOT devices; some have always been in the technology space, while others are new to it.
Furthermore, consumers are growing more and more dependent on these devices that connect them to the world. With an increasing dependence on IOT devices, the information they gather about us (so-called “Big Data”) becomes an attractive target for cyber criminals. The lightning pace of technological development causes security measures to go quickly out-of-date. Sometimes, customers may retain IOT devices with that out-of-date software, or simply fail to update with the latest patches.
So how should we combat these security risks? Looking to regulatory guidance and enforcement in the past few years, companies should:
- Consider and implement reasonable privacy and security practices and accurately communicate them to consumers
- Re-evaluate those practices as needed, and
- Commit to their privacy and security practices or risk regulatory action.
The IOT ecosystem presents magnified challenges in privacy and security because of the amount of consumer information collected. To prevent excessive new regulation, promote consumer confidence, and avoid costly litigation, IOT companies can and should work to stay ahead of potential cybersecurity threats and comply with current regulatory policies, which are still in their infancy as applied to IOT devices. Several federal regulatory agencies suggested that IOT companies should be thinking about data privacy and security risks, including those related to out-of-date products. For example, the FTC has published guidance including Internet of Things: Privacy & Security in a Connected World, Careful Connections: Building Security in the Internet of Things and Start with Security: A Guide for Business. The FTC does not mandate specific security requirements, but currently recommends companies employ practices to protect customers, both during the device’s life cycle and after. The Department of Homeland Security has suggested that IOT companies develop an “end-of-life” strategy for IOT products, considering product sunset issues, managing manufacturer and consumer expectations regarding IOT devices, and communicating the risks of using devices past their usability date. (Strategic Principles for Security the Internet of Things (IoT), U.S. Dep’t of Homeland Sec., at 8; Nov. 15, 2016).
Privacy and security begins before a product hits the market and continues throughout the product’s life cycle, and maybe beyond, according to the FTC. IOT devices collect and store certain information, and IOT companies should consider, how, where, and for how long that information will be stored. Companies should also think of their products not in isolation, but as part of the IOT ecosystem, unless a company designs mechanisms to keep its products from interacting with others (such as authentication). Security in the IOT space is “not a one-and-done proposition.” (Careful Connections, at 6; see also Start with Security, at 12). IOT companies must re-evaluate security and consider how updates will be implemented. IOT companies can close gaps in data privacy and security by communicating to customers the scope of the IOT device’s life cycle, the role the IOT company will play throughout that life cycle, and customer responsibilities (such as installing patches). Further, without a method for erasing the collected and stored information, it will be maintained there, perhaps forever, regardless of whether the IOT device is still maintained with best security practices. For example, companies should consider whether the IOT device will automatically update or whether to rely on consumers to download software updates, which require certain technical aptitude. In the end, each data privacy and security plan will be unique to the product and company resources.
In creating a privacy and security plan, IOT companies should be mindful of regulatory enforcement for failure to fully comply with their own advertised practices. For example, companies should honor representations made to consumers regarding privacy and security practices, or risk regulatory scrutiny. If not, the FTC may bring an enforcement action, which it did against IOT company, TRENDnet, Inc. According to the FTC, TRENDnet failed to implement reasonable security practices, monitor security vulnerability reports from third parties, test and review potential security vulnerabilities, and implement reasonable guidance for its employees, and thus was in violation of Section 5(a) of the FTC Act, 15 U.S.C. § 45(a). The case settled, and the terms of the settlement prohibited TRENDnet from misrepresenting its privacy and security practices and required it to establish a comprehensive security risk program.
2017 looks to bring more IOT devices to consumers and more mobile apps connecting consumers to IOT devices. The FTC has opened 2017 by filing a complaint against computer networking equipment manufacturer, D-Link Corp., alleging D-Link’s routers and internet cameras have inadequate security measures that place consumers’ privacy and security at risk.
Looking at the FTC’s track record thus far, it appears that regulators are worried about the existence of data privacy and security procedures, the adequacy of such procedures, and the accuracy of any representations regarding such procedures. As government regulators look to actively protect consumers from data privacy and security concerns, companies can stay ahead of cybersecurity threats by implementing reasonable privacy and security practices, re-evaluate as needed, and accurately communicate any privacy and security practices to their customers.