The rapid growth of the Internet of Things (“IoT”) has brought significant new opportunities for businesses across sectors. From consumer products such as smart homes or connected cars to business implementations in supply chains or delivery networks, these connected devices are creating new markets and new efficiencies for global businesses. But the Internet of Things also raises a wide range of cybersecurity and data privacy questions for general counsels and their legal teams. Here we discuss five questions for general counsels to consider in managing such cybersecurity risks and data privacy challenges posed by the Internet of Things.
What Is Our Exposure to the IoT?
Manufacturers and distributors of smart devices such as connected toys or medical devices have obvious interest in the cybersecurity and data privacy risks associated with the products they design, build, and sell. But the IoT is a concern not only for manufacturers and distributors of connected devices. A company may rely on smart sensors or other connected devices in manufacturing contexts that may be outside the authority (and risk management processes) of the information technology or security groups. Or a company may be exposed to risk from its vendors’ use of IoT devices (e.g., a logistics vendor that relies on various smart tracking tools). Whatever a company’s exposure to data privacy and cybersecurity risks from the IoT, understanding those risks will be the first step toward mitigating them.
What Are the Applicable Regulatory Expectations?
Regulators increasingly are focused on ensuring cybersecurity and data privacy with respect to the IoT. The Federal Trade Commission, for example, has taken on a leadership role, including by already bringing enforcement actions against companies that it believed were not taking adequate steps to protect cybersecurity and data privacy in connected devices. In addition, sectorspecific regulators have issued guidance for managing cybersecurity and data privacy issues within their respective areas of jurisdiction. The National Highway Traffic Safety Administration, for example, has issued cybersecurity best practices for connected vehicles, and the Food and Drug Administration has issued guidance for both the pre-market and post-market management of medical device cybersecurity. In addition, data privacy regulations such as the EU General Data Protection Regulation (“GDPR”) may apply to the data collected by such devices. Understanding how these and other regulatory expectations apply to a company’s business will be important to managing the cybersecurity and data privacy risks associated with the IoT.
How Are We Managing Cyber Risk to Connected Devices?
Companies use different tools to mitigate cyber risks posed by the IoT. A manufacturer of connected devices may use threat modeling and penetration testing to identify vulnerabilities and assess risks prior to product launch, for example, or create a vulnerability disclosure program to manage collaboration with third-party researchers after launch. Or it may use contractual provisions to ensure that its suppliers take comparable steps. Likewise, companies may build governance programs to consistently address cybersecurity and data privacy risks associated with the IoT across their enterprises, whether the connected devices are used by those companies directly or by their critical suppliers.
How Are We Managing Data from Connected Devices?
The highly valuable and often sensitive data collected by connected devices offers enormous opportunities for businesses. Allowing businesses to monitor functions, spot patterns and trends, more deeply analyze factors relevant to their operations—and much more—this data is likely to become among the most valuable assets of many businesses. But this data also presents challenges, particularly when combined with the use of Big Data analytics. Businesses that purchase IoT solutions, smart devices and related products will benefit from carefully considering data ownership and use rights and from clearly allocating those rights through appropriate contractual terms. Likewise, understanding what information is personally identifiable—or can become personally identifiable once combined with other data sets—is likely to be highly important. Businesses should also evaluate whether any transfers of such data will be performed in compliance with the EU GDPR or other relevant regulations. Moreover, businesses should think through other potential consequences, including whether the collection of such data may increase the burden of responding to document demands by regulators or private litigants (or be used to argue that the data made certain outcomes increasingly foreseeable to those businesses).
What Is Our Litigation Risk?
Cybersecurity and data privacy litigation has long presented substantial risks to companies, particularly in the aftermath of a data breach. This litigation is now spreading to the IoT, with plaintiffs filing suit over alleged deficiencies in a wide range of connected consumer products. This litigation over cybersecurity and data privacy in the IoT is poised to grow substantially over the coming years. It is not yet clear to what extent such litigation will succeed. Threshold inadequacies in the constitutional standing of prospective class plaintiffs may well defeat such litigation, as may infirmities in the claims pled and in the putative class that the plaintiff seeks to represent. The high stakes of such litigation, however, recommend attention to the potential litigation risk associated with an implementation of IoT devices. Gaining an understanding of those risks (preferably in a privileged context to facilitate candid conversation) will be critical to mitigating those risks.