A recent report published by the FTC, recognized a rapid growth of connected devices. The FTC noted that while presenting societal benefits, the introduction of everyday objects with the ability to connect to the internet, collect and transmit information (Internet of Things), posesnumerous risks of undermining consumer confidence and privacy, and in particular, enabling unauthorized access and misuse of personal information, facilitating attacks on other systems and creating risks to personal safety.
Considering the impact of the Internet of Things on the daily lives of millions of consumers, through the adoption of health and fitness monitors, home security devices, appliances connecting cars as well as household appliances, the FTC has recommended a series of concrete steps which companies can take to enhance and protect consumers’ privacy and security:
- build security into devices at the outset, rather than as an afterthought in the design process;
- train employees about the importance of security, and ensure that security is managed at an appropriate level in the organization;
- ensure that when outside service providers are hired, those providers are capable of maintaining reasonable security;
- when a security risk is identified, consider a “defense-in-depth” strategy whereby multiple layers of security may be used to defend against a particular risk;
- consider measures to keep unauthorized users from accessing a consumer’s device, data, or personal information stored on the network;
- monitor connected devices throughout their expected life cycle, and where feasible, provide security patches to cover known risks;
- limit the collection of consumer data (data minimization), and retaining that information only for a set period of time, and not indefinitely. Companies can choose to collect no data, data limited to the categories required to provide the service offered by the device (less sensitive data), or choose to de-identify the data collected; and
- notify consumers and give them choices about how their information will be used, particularly when the data collection is beyond consumers’ reasonable expectations.
In addition to the report, the FTC also released a new publication for companies containingadvice about how to build security into products connected to the Internet of Things, and encourage companies to implement a risk-based approach and take advantage of best practices developed by security experts (such as using strong encryption and proper authentication).
The FTC report reflects the growing global concerns of the explosion of the Internet of Things and its impact on consumers' privacy. In this regard, and as we previouslyreported, these concerns were recently addressed by the EU 29 Working Party.
This report followed an announcement by the Chairwoman of the FTC, which observed that the Internet of Things can eventually lead to a privacy crisis, and urged companies to adopt a "security by design" model, minimize data collection and increase transparency by letting consumers know how exactly their information will be collected and used by the product.
Moreover, the FTC Bureau Head has also recently advocated online behavior transparency, and called upon companies to be more forthcoming about how they are using consumers' data, warning that failing to provide meaningful notice and choice, was likely to attract the attention of the regulators.