By a 4-1vote, the Federal Trade Commission (FTC) adopted a report on Tuesday that recommends six best practices that companies should undertake in protecting the privacy and security of personal consumer data used in support of the Internet of Things (IoT). The 71-page report is said to be based on material derived from a November 2013 FTC workshopon IoT, as well as on public comments submitted to the FTC on the subject. Statistics cited in the report show that there are 25 billion IoT devices in use today that include automobiles, thermostats, home appliances, health monitors, and watches. Experts anticipate the number of IoT devices will double by 2020.
The report focuses exclusively on IoT devices “that are sold to or used by consumers” and does not address “devices sold in a business-to-business context” or machine-to-machine communications “that enable businesses to track inventory, functionality or efficiency.” Industry best-practices recommended by the FTC include: (1) incorporation of security features in IoT devices “at the outset, rather than as an afterthought in the design process,” (2) training employees on the importance of security, (3) ensuring that outside providers “are capable of maintaining reasonable security,” (4) consideration of “defense-in-depth” strategies whereby “multiple layers of security may be used to defend against” identified security risks, (5) measures to prevent unauthorized users from accessing consumer devices and related network data, and (6) monitoring IoT devices “throughout their expected life” and providing security patches when needed “to cover known risks.”
Declaring, “the only way for the [IoT] to reach its full potential for innovation is with the trust of American consumers,” FTC Chairwoman Edith Ramirez predicted that, “by adopting the best practices we’ve laid out, businesses will be better able to provide consumers the protections they want.” Charging, however, that the report lacks “analytical support,” FTC Commissioner Joshua Wright maintained in a dissenting statement that “an economically sound and evidence-based approach to consumer protection . . . would require the Commission to possess and present evidence that its policy recommendations are more likely to foster competition and innovation than to stifle it.” In remarks on the report’s release, House Energy and Commerce Committee Chairman Fred Upton (R-MI) stressed, “we must exercise great caution to avoid the slippery slope of the Internet of Things evolving into the Internet of Regulation.”