With the number of (internet) connected devices rapidly surpassing the number of internet people (actually, all people whether or not connected), we take this opportunity to explore some of the legal complexity brought about by all of this connectivity. First, some background:
- Cisco Internet Business Solutions Group predicts 25 Billion devices will be connected by 2015, and 50 Billion by 2020;
- The current world population is approximately 7.2 billion
- Introduction of IPv6 uses 128 bit addresses - limit: 340 Trillion addresses
This means that with the current population, we have the ability to address over 47,000 addresses/devices per person
The Sheep's Clothing
The Internet of Things has some wonderful benefits. For example:
- You can now remotely control your thermostat to save energy;
- You can monitor systems in your house when away to protect its physical security;
- Companies can monitor the flow of goods and inventory through their systems;
- Utilities can manage the flow of resources based on supply and demand through smart metering;
- Distributers can monitor the movement of their fleets;
- Municipalities can monitor flow of traffic on streets and availability of parking spaces;
- And the list goes on as far as our imagination
But . . . the Internet of Things also creates huge amounts of information. And with that information, come all of the risks and challenges of having information. Companies or other entities collecting or processing information need to protect the confidentiality of that information. Information about the things of individuals can disclose significant information about that individual.
For example, the GPS tracking on a cell phone may be used to tell the owner of an App where the person is going which could disclose private, or even Protected Health Information--imagine, if you will, a company that uses the GPS tracking to monitor the movement of its distributed sales force and learns that one of the sales personnel has been frequenting a certain kind of medical establishment.
Entities need to understand what information they may obtain, and need to develop clear policies and manage expectations of the users. In some countries, even having employees consent to such monitoring may not be enforceable given the "coerced" nature of employee "consent."
This gets even more concerning when companies are monitoring their customers rather than their employees. Although the monitoring may be for the most well-intentioned purposes, the company still possesses sensitive data. For example, the App on smartphones that tracks where people exercise using GPS also knows when people are exercising far from home. If someone was able to hack into that data, they would know when was a good time to break into the home or harm the user's family.
In addition to privacy concerns, there are also more direct employment concerns. Internet connected devices make it easier for employees to work whenever and wherever. This sounds great, but this also means that hourly employees may be encouraged to work outside of their normal work hours. Not only does the device facilitate this extra work, it also reports on it. There are reported cases where this has led to companies incurring unanticipated overtime liability for hourly employees responding to emails from their smartphones.
The Internet of Things also facilitates more direct monitoring--both by private companies and by the government.
Having this data also makes an entity subject to inquiries from law enforcement and in litigation. This volume of data compounds the classic eDiscovery problems which can drive huge costs in terms of gathering, reviewing, and providing data. In addition, a company may be faced with a decision of incurring the legal expense of defending a request for information to protect the privacy of its customers, or sharing the information and affecting its reputation with the customer-base.
Don't Get Eaten
So, what is the purpose of this blog post? The move to the Internet of Things is both unavoidable and, by-in-large, beneficial. By all means, get on board, or be left behind. But entities should be thoughtful and understand some of the associated risks so that they can be built into the decision-making process. By understanding the legal risks, systems can be designed to generate great benefits while accommodating legitimate legal concerns. Advanced awareness and planning can empower those who embrace the Internet of Things, rather than allowing them to be blindsided when it is too late.