Staying Ahead of Privacy and Security Risks in the Internet of Things

By Taylor Ey
January 16, 2017

We are creating an entirely new ecosystem based in technology rather than in biology—the Internet of Things (“IOT”) ecosystem—and it’s growing fast.  Companies are selling IOT devices or mobile apps that interact with IOT devices; some have always been in the technology space, while others are new to it.

Furthermore, consumers are growing more and more dependent on these devices that connect them to the world.  With an increasing dependence on IOT devices, the information they gather about us (so-called “Big Data”) becomes an attractive target for cyber criminals.  The lightning pace of technological development causes security measures to go quickly out-of-date.  Sometimes, customers may retain IOT devices with that out-of-date software, or simply fail to update with the latest patches.

So how should we combat these security risks?  Looking to regulatory guidance and enforcement in the past few years, companies should:

  1. Consider and implement reasonable privacy and security practices and accurately communicate them to consumers
  2. Re-evaluate those practices as needed, and
  3. Commit to their privacy and security practices or risk regulatory action.

The IOT ecosystem presents magnified challenges in privacy and security because of the amount of consumer information collected.  To prevent excessive new regulation, promote consumer confidence, and avoid costly litigation, IOT companies can and should work to stay ahead of potential cybersecurity threats and comply with current regulatory policies, which are still in their infancy as applied to IOT devices.  Several federal regulatory agencies suggested that IOT companies should be thinking about data privacy and security risks, including those related to out-of-date products.  For example, the FTC has published guidance including Internet of Things: Privacy & Security in a Connected World, Careful Connections: Building Security in the Internet of Things and Start with Security: A Guide for Business.  The FTC does not mandate specific security requirements, but currently recommends companies employ practices to protect customers, both during the device’s life cycle and after.  The Department of Homeland Security has suggested that IOT companies develop an “end-of-life” strategy for IOT products, considering product sunset issues, managing manufacturer and consumer expectations regarding IOT devices, and communicating the risks of using devices past their usability date.  (Strategic Principles for Security the Internet of Things (IoT), U.S. Dep’t of Homeland Sec., at 8; Nov. 15, 2016).

Privacy and security begins before a product hits the market and continues throughout the product’s life cycle, and maybe beyond, according to the FTC.  IOT devices collect and store certain information, and IOT companies should consider, how, where, and for how long that information will be stored.  Companies should also think of their products not in isolation, but as part of the IOT ecosystem, unless a company designs mechanisms to keep its products from interacting with others (such as authentication).  Security in the IOT space is “not a one-and-done proposition.”  (Careful Connections, at 6; see also Start with Security, at 12).  IOT companies must re-evaluate security and consider how updates will be implemented.  IOT companies can close gaps in data privacy and security by communicating to customers the scope of the IOT device’s life cycle, the role the IOT company will play throughout that life cycle, and customer responsibilities (such as installing patches).  Further, without a method for erasing the collected and stored information, it will be maintained there, perhaps forever, regardless of whether the IOT device is still maintained with best security practices.  For example, companies should consider whether the IOT device will automatically update or whether to rely on consumers to download software updates, which require certain technical aptitude.  In the end, each data privacy and security plan will be unique to the product and company resources.

In creating a privacy and security plan, IOT companies should be mindful of regulatory enforcement for failure to fully comply with their own advertised practices.  For example, companies should honor representations made to consumers regarding privacy and security practices, or risk regulatory scrutiny.  If not, the FTC may bring an enforcement action, which it did against IOT company, TRENDnet, Inc.  According to the FTC, TRENDnet failed to implement reasonable security practices, monitor security vulnerability reports from third parties, test and review potential security vulnerabilities, and implement reasonable guidance for its employees, and thus was in violation of Section 5(a) of the FTC Act, 15 U.S.C. § 45(a).  The case settled, and the terms of the settlement prohibited TRENDnet from misrepresenting its privacy and security practices and required it to establish a comprehensive security risk program.

2017 looks to bring more IOT devices to consumers and more mobile apps connecting consumers to IOT devices.  The FTC has opened 2017 by filing a complaint against computer networking equipment manufacturer, D-Link Corp., alleging D-Link’s routers and internet cameras have inadequate security measures that place consumers’ privacy and security at risk.

Looking at the FTC’s track record thus far, it appears that regulators are worried about the existence of data privacy and security procedures, the adequacy of such procedures, and the accuracy of any representations regarding such procedures.  As government regulators look to actively protect consumers from data privacy and security concerns, companies can stay ahead of cybersecurity threats by implementing reasonable privacy and security practices, re-evaluate as needed, and accurately communicate any privacy and security practices to their customers.

[Internet-Things]

The Author

Taylor Ey

Taylor Ey is an associate in the Intellectual Property Practice Group in Womble Carlyle’s Research Triangle Park Office. Her practice focuses on the intersection of corporate and intellectual property law.

Warning & Disclaimer: The pages, articles and comments on IPWatchdog.com do not constitute legal advice, nor do they create any attorney-client relationship. The articles published express the personal opinion and views of the author and should not be attributed to the author’s employer, clients or the sponsors of IPWatchdog.com. Read more.

Discuss this

There are currently 10 Comments comments.

  1. Jane W. January 16, 2017 12:34 pm

    Thanks for the interesting post – regulatory compliance in IoT privacy is an important issue today. FYI, there’s a recent article on reasonable cybersecurity in the Florida Bar Journal at http://www.floridabar.org/DIVCOM/JN/JNJournal01.nsf/8c9f13012b96736985256aa900624829/187560d8acd922398525801a005f13e5!OpenDocument

  2. Ian Wright January 17, 2017 7:07 am

    The IoT devices are going to be much vulnerable to threats. Smart devices at my house get their network through PureVPN which is set up on my router. They re much more secure.

  3. Ternary January 17, 2017 8:57 am

    This is an interesting article in the context of ongoing 101 rejections of cryptographic inventions. Modern cryptography has its fundaments in mathematical concepts (like modular exponentiation). Cryptographic patent applications continue to receive Alice rejections as being “abstract ideas”. IoT will require more and better encryption such as for authentication. Current cryptography is fairly clunky and places high computational demands on processors.

    Perhaps the FTC and other regulators should discuss with the USPTO or even better with Congress how to stimulate inventions in cryptography, rather than limiting it. If Congress can impose CBM it can also discuss a CSA (cryptography stimulation act).

  4. Truth Seeker April 3, 2017 5:52 pm

    What happened to my comment?

  5. Gene Quinn April 3, 2017 7:12 pm

    Truth Seeker-

    I had to fish your comment asking “What happened to my comment?” from the spam filter. My guess is the obviously fake e-mail address you used is what provoked it to be treated like spam.

    I generally check for real comments before clearing spam, but it is a cursory check. Even with an aggressive firewall we can get many dozens, or sometimes hundreds, of spam comments a day.

  6. News Skeptic April 4, 2017 12:44 pm

    What happened to my comment(s)??

  7. News Skeptic April 4, 2017 12:49 pm

    Why doesn’t the PTO track its outgoing mail? What does that say about their security? It’s the 21st century, how can this be? Who takes responsibility when it gets lost or, even worse, stolen? If someone steals it, who would they ever find the person, if they don’t even have tracking numbers? Don’t issues of security apply to the PTO (the one-stop shopping for the latest in high-technology)?

  8. Gene Quinn April 4, 2017 1:41 pm

    News Skeptic-

    What happened to your comments? They continue to go into spam. The comment where you lectured me on why your comments shouldn’t be going into spam was full of misspellings and horrible grammatical errors to the point where you have a couple words, punctuation, a couple words, random punctuation, etc. etc. That plus using a fake e-mail address is almost certainly what is causing your comments to go to spam. So given that your comment was full of those kinds of spam indicators and you went on about how our spam filters shouldn’t be weeding out your comments, I didn’t save it from the spam folder. And for the record, my job is not to save comments from the spam folder. Those who use fake e-mail addresses are already at a higher risk of their comments getting automatically spammed. That is just the way it is.

  9. News Skeptic April 5, 2017 12:02 pm

    Don’t worry, won’t be coming back to this site anymore (so your spam folder might get a little smaller). Challenging and critical comments, apparently, are not all that welcome here. At least I have never seen many.

  10. Gene Quinn April 5, 2017 2:18 pm

    News Skeptic-

    Challenging and critical comments are certainly welcome. You, however, have repeatedly submitted such poorly written comments that they make no sense and have terrible grammatical errors that the spam filter catches them. On top of that you use a fake name and a fake e-mail address. Why you are surprised that those comments couldn’t escape our spam filter is curious. So clearly you are not a serious person interested in a serious discussion.

    As for the latest comment that I deleted, you continue to lecture me on why our spam filter shouldn’t capture your unreadable comments and why using a fake e-mail address shouldn’t matter. Those comments have nothing to do with the topic of this article. As per our long standing policy, unrelated and off-topic comments are not allowed. This is not a forum for anyone to say anything. This is a forum to have a meaningful discussion about the article or issues raised. You are obviously incapable of that. Glad to see you go.

    -Gene