The Federal Trade Commission (“FTC”) issued a new report calling for greater protection of consumers’ privacy. On January 27, 2015, the FTC released its report on the Internet of Things (the “Report”). The “Internet of Things” is the term used by the FTC to refer to the “ability of everyday objects to connect to the Internet and to send and receive data.” In the Report, the FTC made several recommendations regarding consumer privacy for companies developing such devices, including:
- build security into devices at the outset, rather than as an afterthought in the design process;
- train employees about the importance of security, and ensure that security is managed at an appropriate level in the organization;
- that when outside service providers are hired, that those providers are capable of maintaining reasonable security, and provide reasonable oversight of the providers;
- when a security risk is identified, consider a “defense-in-depth” strategy whereby multiple layers of security may be used to defend against a particular risk;
- consider measures to keep unauthorized users from accessing a consumer’s device, data, or personal information stored on the network;
- monitor connected devices throughout their expected life cycle, and where feasible, provide security patches to cover known risks.
The FTC did not issue any mandatory regulations or requirements regarding data collection or security through the Report, but the FTC’s recommendations may foreshadow future legislative and regulatory action. The FTC stated that businesses should “consider data minimization – that is, limiting the collection of consumer data, and retaining that information only for a set period of time, and not indefinitely.” The FTC also recommended “companies notify consumers and give them choices about how their information will be used, particularly when the data collection is beyond consumers’ reasonable expectations.”
Notably, the Report stated that legislation regarding the Internet of Things is currently premature because the technology is rapidly evolving. However, the FTC called for strong data security and data breach notification legislation. The FTC’s call for such legislation is particularly timely given President Obama’s recent call for a federal data breach notification law. Such a law would ostensibly seek to make uniform the amount of days under which a business is required to disclose a data breach to consumers, as opposed to businesses operating under the patchwork of data breach security and notification laws enacted by many of the states.
The FTC’s report on the Internet of Things should serve as a reminder to Florida businesses that they must pay close attention to the evolving laws regulating consumer privacy and data breaches.