On January 27, 2015, the FTC released its Staff Report on the so-called “Internet of Things” (IoT) – the ability of everyday objects (from refrigerators to wearable devices) to connect to the Internet and send and receive data. In addition to the Staff Report, the FTC released a guidance document entitled “Careful Connections: Building Security in the Internet of Things” (“Guidance”).
The Staff Report focuses on the growing nature of the number of IoT devices – approximately 25 billion connected devices in 2015 and up to 50 billion by 2020 – and the many benefits and risks associated with the devices. Highlighted risks include those associated with enabling unauthorized access and misuse of personal information, facilitating or enabling attacks on other systems, and new risks to personal safety.
The Staff Report reiterates the significance of Fair Information Practice Principals of security, data minimization, notice, and choice.
- Security. The Staff Report encourages “security by design,” emphasizing that companies should build security into their devices at the outset. This process includes: (a) conducting a privacy or risk assessment; (b) minimizing the data collected and retained; and (c) testing security before launch. The Staff Report also emphasizes the importance of proper training of staff, retaining vendors with appropriate security practices, using multi-layered security, reasonable access controls, and monitoring and patching products after release.
- Data Minimization. The report also discusses the greater risk associated with collecting large amounts of data and retaining it for long periods of time. The FTC suggests that companies should consider options with respect to how to minimize data, such as not collecting data at all, collecting only the data necessary, collecting less sensitive data, or de-identifying data.
- Notice and Choice. The FTC recognizes that notice and choice can be difficult with connected devices. Echoing recommendations in the FTC’s 2012 Privacy Report, the report notes that companies are not generally compelled to provide notice and choice for practices consistent with the context of the transaction or the company’s relationship with the consumer. Companies should generally obtain express, informed consumer consent for unexpected collection of volumes of types of data. Regardless of the method, the FTC emphasized that privacy choices should be clear and prominent and not buried in long documents.
- Legislation. The FTC recommends that Congress enact federal data security legislation to strengthen the FTC’s existing data enforcement tools and to provide notification to consumers when there is a security breach. The Staff Report did not recommend that this legislation be limited to the IoT, but rather that it should be technology-agnostic. In the absence of this legislation, the FTC indicates that it will continue to rely on its existing enforcement tools (FTC Act, FCRA, COPPA, etc.) to ensure that IoT companies consider privacy and data security when developing new devices.
The FTC released Guidance which provides that while there is no “one size fits all” checklist to guarantee the security of connected devices, companies should still take reasonable steps to ensure the security of both the devices and the data collected by the devices. Like the Staff Report, the Guidance emphasizes the importance of “security by design”; but the Guidance also promotes a culture of security, using multi-layered security, and common-sense recommendations such as refraining from shipping IoT devices with default passwords (which become readily known shortly after a product is released).
The Guidance also recommends designing products with authentication in mind and protecting the interface between the product and other devices or services. The Guidance recommends setting the more secure option as the default option on a product rather than setting the default on the least secure option, as this helps ensure protection for inexperienced users.
The Guidance also suggests “just in time” notices to better educate consumers about safe use of the product, with easy access to security settings, and that firms should think through how updates to the product may be handled over time and planned obsolescence. Lastly, the Guidance recommends that companies stay informed of the latest security threats and vulnerabilities and communicate clearly with customers.