Emphasizing the importance of protecting consumer privacy and security, the Federal Trade Commission recently released its staff report on the Internet of Things.
“The only way for the Internet of Things to reach its full potential for innovation is with the trust of American consumers,” FTC Chairwoman Edith Ramirez said in a statement about the report. “We believe that by adopting the best practices we’ve laid out, businesses will be better able to provide consumers the protections they want and allow the benefits of the Internet of Things to be fully realized.”
For purposes of “Internet of Things: Privacy & Security in a Connected World,” the Commission defined the Internet of Things as devices or sensors sold to or used by consumers other than computers, smartphones, or tablets “that connect, store or transmit information with or between each other via the Internet.”
Based in part on the agency’s workshop held on the topic in November 2013 the report offered six recommendations for companies looking to enter the Internet of Things ecosystem, and urged businesses to incorporate privacy principles in their efforts.
Companies should consider security during every part of the design process, “rather than as an afterthought,” the agency said. Employees should be trained about the importance of security and the security measures should be overseen by an appropriate level in the organization. “[C]ompanies must ensure that their personnel practices promote good security.”
Third parties pose significant security concerns, the FTC said. When outside service providers are used, companies should retain only those capable of maintaining reasonable security and their work should be monitored.
The agency recommended that companies adopt a “defense-in-depth” strategy that would utilize multiple layers of security, particularly for systems with significant risk, and implement strong authentication measures that would keep unauthorized users from accessing data or personal information stored on a network.
Finally, the FTC said businesses should maintain a relationship with connected devices throughout their life cycle, and provide security patches when necessary.
The report also stressed data minimization and suggested that companies limit their collection of consumer data and retain the data for a set period of time (not indefinitely). Companies should notify consumers about data collection and how their information will be used, the FTC added, especially if the collection is beyond what a reasonable consumer would expect.
As for legislation, the staff report noted that the passage of a law now would be premature, given the rapidly evolving nature of the technology involved. That said, the FTC took the opportunity to again call for a general law protecting consumer privacy rights “that is both flexible and technology-neutral.”
To read the staff report, click here.
Why it matters: The Internet of Things has been a hot topic recently, and has prompted a federal hearing on the issue and remarks by FTC Chairwoman Ramirez at the Consumer Electronics Show. Not everyone is in agreement about how to deal with the burgeoning technology, however. Commissioner Maureen K. Ohlhausen concurred in the staff report but did not support two of the recommendations – the call for baseline privacy legislation as well as the report’s support for data minimization. Commissioner Joshua D. Wright filed a dissenting statement, expressing concern that the report makes broad policy recommendations in lieu of the usual workshop report, which synthesizes the record of the proceedings. The “lengthy discussion” of industry best practices and recommendations lacks “analytical support to establish the likelihood that those practices and recommendations, if adopted, would improve consumer welfare,” he wrote.