Last year, there were an estimated 16 billion devices connected to the Internet, and predictions say that the number will rise as high as 30 billion devices by 2020. The Internet of Things (IoT) has gained publicity (or notoriety) as yet another data source that may be subject to litigation or investigations in an eDiscovery context, and there have been a few cases already (i.e., a Fitbit device has already played a prominent role in a criminal case) involving IoT data. There’s likely more to come, presenting yet another major headache for corporate counsel and their legal teams given the wealth of data stored in IoT devices.
Yet, so many devices collecting data on every aspect of our lives gives rise to a number of critical issues—so many so that to call it merely the Internet of Things trivializes its importance. Rather, it can also be coined the Cybersecurity, Privacy, Information Governance, and eDiscovery of Things.
If a cybercriminal hacks into a firewall and delves into a company’s benefits database, there are risks of data loss and privacy breaches. But when an Internet of Things device is breached, the ramifications can be even more dire. If a hacker intercepts an unmanned vehicle’s Internet connection and sends it malicious directions, it could lead to property damage as well as severe injuries or even death. Or, if a hospital is the subject of a denial of service attack, it could compromise medical records or even allow outsiders to manipulate medicine dosage through Internet-controlled pumps.
Who owns the data that these devices create? Is it the exerciser tracking steps with a fitness device, the homeowner adjusting a thermostat, or the driver of a car? In general, no. The companies collecting this data often reserve the right to access, use, and even sell their data within their terms of service agreements. And sometimes, devices are collecting data without users consenting or being aware: for example, connected streetlights and beacons in retail outlets. Depending on where the data is collected, processed, and stored, it could also implicate cross-border data protection laws.
With the Internet of Things, companies have access to a number of new data streams that may be relevant for regulatory matters or lawsuits. But because most of these devices simply gather data and send it to the cloud, it creates complicated issues relating to identifying where the data is located and then negotiating with a third-party provider regarding its retention, control, and custody.
Each of these issues has the potential to spawn litigation and regulatory actions. Recognizing the risks, counsel at the forefront of these challenges are taking several steps. First, they are embracing their ethical duty to remain technologically competent by understanding the implications of these devices. Second, they are considering what technologies their organizations are deploying and what data they are collecting and storing. Third, they are ensuring the impact of the Internet of Things is contemplated in policies and procedures that address privacy, security, records management, and litigation readiness. Finally, they are working with eDiscovery specialists to devise ways to preserve and collect the relevant data for litigation and investigations.