On January 27, the Federal Trade Commission (FTC) issued an FTC staff report titled “Internet of Things: Privacy & Security in a Connected World” (Report). The Report summarizes the FTC’s November 2013 workshop on the privacy and security concerns presented by the Internet of Things (IoT) and recommends that Congress enact strong, flexible and technology-neutral federal legislation to strengthen its existing data security enforcement tools and to provide notification to consumers when there is a security breach. Perhaps most importantly, the Report also sets forth the FTC staff’s recommended best practices in the areas of data security, data minimization and notice and choice for companies that develop and/or sell consumer-facing IoT devices.
“IoT” refers to the ability of everyday objects to connect to the Internet and to send and receive data. It includes, for example, Internet-connected cameras that allow you to post pictures online with a single click, home automation systems that turn on your front porch light when you leave work and bracelets that share with your friends how far you have biked or run during the day. Experts estimate that, as of this year, there will be 25 billion connected devices; by 2020, that number will reach 50 billion.
Although connected devices offer many advantages — including ease and efficiency of use, receipt of useful targeted information and receipt of assistance in emergency situations — these devices also pose increased risks to privacy and security. Possible risks include (i) enabling unauthorized access to and misuse of personal information, (ii) facilitating attacks on other systems, (iii) creating risks to personal safety and (iv) privacy risks flowing from the collection of personal information, habits, locations and physical conditions over time.
The FTC acknowledges that appropriate data security practices are IoT device–specific and depend on a variety of considerations, such as the quantity and sensitivity of data collected and the costs of remedying security vulnerabilities. Nevertheless, all companies that develop and/or sell IoT devices are encouraged to adopt the following best practices:
- Encourage a “culture of security” in the company, including designating senior officers to be responsible for information security and training employees to recognize vulnerabilities and to speak up about them
- Institute a “security by design” process, in which security measures are incorporated into the design of the IoT device, including conducting a risk assessment in advance of the launch, building authentication measures into the device, securing all interfaces with which the device communicates and limiting the device’s access only to data that it needs
- Select third-party service providers that are able to maintain reasonable security, and oversee the security practices of third-party service providers, which is particularly important because failure to oversee the security practices of third-party service providers could result in an FTC enforcement action
- Employ a “defense in depth” strategy, in which several layers of security are used to guard against specific risks
- Establish reasonable access control systems that limit unauthorized access to consumers’ data, the IoT device and networks, without excessively interfering with the usability of the IoT device
- Test the security of the IoT device before its launch and monitor the security of the device throughout its life cycle.
The FTC also encourages companies to craft policies that promote the long-standing privacy protection principle of data minimization. According to this principle, companies should only collect, process, store or disclose data that is necessary for accomplishing the purpose for which it was collected or with respect to which consent was acquired. As compliance with the data minimization principle is challenging in the IoT context, the FTC recommends a “flexible” approach to data minimization, which permits companies to limit data collection and retention in a manner that aligns with their business objectives. In particular, companies can elect to take one of the following actions:
- Collect no data
- Collect only the types of data that are needed to deliver the services offered by their IoT device(s)
- Collect only less sensitive data
- De-identify any data that they collect.
De-identification must be effective in view of technological developments and regulatory standards. Companies must publicly commit not to re-identify the data and must have enforceable contracts in place with any third parties with whom they share the data that require the third parties to commit not to re-identify the data.
Notice and Choice
The FTC reiterates the importance of providing notice and choice to consumers regarding data collection and use in the IoT context, especially when the data collected is sensitive and/or when its nature or intended use is unexpected in the context of the interaction in which it was collected. Recognizing that there is not a universally appropriate approach to providing notice and choice, and that choice may not be necessary in every situation, the FTC identifies a number of potential approaches and notes that companies may want to consider using a hybrid approach. Examples of such approaches include providing choice at the point of sale; offering tutorials for users; using codes on the IoT device, such as QR codes; providing a privacy management dashboard; providing privacy-related information through other channels (e.g., emails or texts); and using preferences learned from the consumer’s use. The privacy choices offered to consumers should be noticeable, rather than hidden in long documents, and easy to comprehend. Companies would not be obligated to provide choice with respect to data that is de-identified effectively immediately following its collection.
Though still a nascent technology, devices that connect to the Internet and that are capable of sending and receiving data are increasingly being integrated into various aspects of our lives, including our commute (smart cars, smart traffic control), our viewing habits (smart TVs), our homes (smart thermostats), our shopping habits (beacons) and our health (wearable heart monitors). In view of the increased risks these devices pose to a user’s right to privacy, the FTC will be closely monitoring companies that sell IoT devices for compliance with applicable laws, particularly the FTC Act’s prohibition against unfair and deceptive practices. 2014 has already seen the FTC’s first enforcement action in the IoT realm with the TRENDnet case. These actions will only increase in 2015 and thereafter.
Companies that develop or sell IoT devices should consider and devote sufficient resources to issues of privacy and information security in all aspects of their operations, including the following:
The design of the device (implementing privacy and security by design)
Corporate governance (appointing officers in charge of compliance, instituting policies and procedures)
Employees (screening, access restriction, and training)
Third-party providers (careful selection, diligence process, imposing and enforcing compliance)
Customers (providing notice and choice).
To this end, companies should seek advice and counsel from legal, technology and insurance professionals to ensure that the right steps are being taken and that appropriate protections are put in place.