The complexity and growth of the Internet of Things (“IoT”), which is the concept of connecting essentially any electronic device to the internet, have led the FTC to anticipate serious security and privacy risks.
These risks have recently materialized into actual breaches.
A loophole in Jeep's software allowed computer hackers to remotely hijack a moving Jeep Cherokee being driven on a Midwestern highway in July. Fiat Chrysler Automobiles is now offering a patch for the Jeep software. Security risks are not limited to one automobile brand. The programmers who executed the Jeep hack discovered vulnerabilities in 19 other 2014 models. In January, BMW disclosed a since-resolved flaw that allowed hackers to open doors to 2.2 million automobiles.
Alleged breaches of airplanes have also been discovered. The FBI is currently investigating a computer security consultant who claimed in an affidavit that he hacked into airplanes' in-flight entertainment systems up to 20 times between 2011 and 2014. He told the FBI in February that he had previously taken control of a plane through the in-flight entertainment system and made the plane fly sideways. In April, he was removed from a United Airlines flight after tweeting that he was considering hacking the plane. He is not currently charged with any crime, but the investigation is ongoing.
While the IoT provides significant benefits, including easier information storage, increased connectivity, and improved health services, it also creates significant risk potential. Connected devices, from cell phones to software in cars and planes, are used to store and share highly personal and confidential information. Unlike more established hardware and software companies, newer entrants into the emerging connected device arena may not have spent years adequately testing security of new devices. When connected devices are breached or consumer information from these devices is utilized in a way unforeseen by the consumer, the impact can be devastating.
Despite these risks, the IoT is growing. An estimated 25 billion connected devices are predicted to be online in 2015, and approximately 25 million homes will be equipped with smart home devices this year. By 2022, almost 80 percent of cars sold globally will be connected.
Strategies: With the Increase of Actualized Threats to the Internet of Things, What Should Companies Do?
According to the FTC, companies in the IoT space need to consider three risk areas:
- the implications of ubiquitous data collection;
- the potential for unexpected uses of consumer data that could have adverse consequences; and
- heightened security risks.
Simple consideration, however, is not sufficient. The FTC also recommends that companies “bake" security and privacy into all connected devices. To do so, the FTC sets out three measures to address security issues and risks to consumers.
- Companies are encouraged to adopt “security by design.” This involves careful planning in the development of the security technology that will be utilized by the connected devices released into the market. Companies are also encouraged to integrate privacy and security risk assessments in the design process.
- Companies should engage in data minimization.
- Companies should focus on increasing transparency and providing consumers with notice and choice for unexpected data users.
There are a number of complex questions to consider in light of the FTC’s guidance and recent breaches of these emerging technologies. As these issues become the focus of increasing regulatory attention, it would be prudent for companies developing and producing these consumer connected devices to give careful consideration to suggestions from the FTC. Most importantly, companies should be thinking about:
- how to implement the FTC guidance into their design and production;
- how to identify and inventory the types of data collected from these devices; and
- how to develop and communicate transparent policies and controls surrounding the collection, use and sharing of data obtained through the use of these connected consumer devices.