On January 27, 2015, the United States Federal Trade Commission (FTC) released a report discussing privacy and data security in consumer devices connected to the internet. 

The Internet of Things (IoT)

The FTC defined the IoT to include things such as devices or sensors, other than computers, smartphones or tablets, that connect, communicate or transmit information with or between each other through the internet.  For example, smart thermostat systems or washers and dryers that utilize Wi-Fi for remote monitoring.

Data Security and Privacy Risks

While the FTC acknowledged some benefits of the IoT, it cautioned that the IoT presents a variety of data security and privacy risks.  The risks include: (i) the enabling of unauthorized access to and misuse of personally identifiable information (PII), (ii) the facilitation of attacks on other interconnected systems, and (iii) the creation of safety risks.  While the first two risk factors are common in the traditional computing environment, the third represents a new, physical type of risk.  For example, it may be possible to remotely hack into a connected medical device and change its settings, impeding its therapeutic function.

Recommendations

Data Security

The FTC recommended that companies focus on data security when developing connected devices and offered the following approaches to IoT companies when developing their products:

  • building security into the devices at the outset of development by conducting an initial privacy or security assessment, considering how to minimize the data collected and retained, and testing security measures before launching the product;  
  • ensuring that their personnel practices promote good security;  
  • retaining service providers that are capable of maintaining reasonable security and providing reasonable oversight;  
  • implementing a defense-in-depth approach for systems with significant risk in which security measures are considered at several levels;  
  • imposing reasonable access control measures to limit the ability of an unauthorized person to access a consumer’s device, data or network; and  
  • continuing to monitor products throughout the life cycle and, to the extent feasible, patch known vulnerabilities.

Data Minimization

The FTC also recommended that IoT companies should reasonably limit their collection and retention of PII.  These practices, known as data minimization, can help mitigate privacy-related risks.  The FTC recommended that:

  • IoT companies should examine their data practices and business needs and develop policies and practices that impose reasonable limits on the collection and retention of PII; and  
  • to the extent there is a need to collect and store PII, IoT companies should consider whether they can do so while maintaining the PII in a de-identified form.

Notice and Choice

The FTC acknowledged the difficulty of notifying customers of a company’s privacy practices and offering customers a method to modify privacy settings in the IoT context.  However, the FTC made clear that simply making a privacy policy available on a website is not sufficient – the FTC recommended that companies should find ways to meaningfully present privacy notices and choices to customers, including in the set-up or purchase of the IoT device itself.

Canadian Implications

The Office of the Privacy Commissioner of Canada previously highlighted the IoT as creating potential privacy issues.  In September 2014, the Commissioner called for proposals under the 2015–16 Contributions Program and specifically highlighted the IoT as an area that needed to be explored.

The recommendations contained in the FTC’s report provide useful guidance and best practices for companies operating in the IoT space in Canada to mitigate privacy and data security risks.