This week, after a seemingly endless year of construction, my family and I moved into our new, energy-efficient home. As I was in the kitchen unpacking, my daughter cried out, somewhat dramatically, “Mama, come here …. The thermostat is watching me…” Whereupon she proceeded to demonstrate this by waiting until the thermostat went dark and then walking toward it, causing it to awaken. Being a seasoned privacy and e-discovery lawyer, I responded with equal drama, “Of course dear … We are living in the age of the Internet of Things.” She was unimpressed with my knowledge. But it did get me to thinking. Isn’t e-discovery hard enough without worrying about the Internet of Things (“IoT”)?
The IoT seems to have popped up everywhere around us. Bob Gohn at Navigant has a great background piece on the IoT as well as a piece on the types of devices that make up the IoT and the security risks they create. But in layman’s terms, the IoT refers to all the devices that collect data through the use of sensors and connect to the internet that are not traditionally thought of as computing devices. It is exemplified not just by my nifty thermostat, but also by the FitBit, Google Glass, and even that smart parking meter that tells the meter reader when to come give you a ticket. The IoT is so pervasive in fact that the term is used interchangeably with the term the “Internet of Everything” and is expected to eclipse the market for traditional computing devices.
Certainly privacy and data security issues related to the IoT are legion. Given the ubiquity of the IoT, there is little doubt that it is only a matter of time until issues over devices that make up the IoT arise in regulatory enforcement proceedings and litigation. In fact, late last year, the FTC announced that it had its eye on the consumer risks presented by the IoT by filing a seven-page complaint against TRENDnet, a company that sells internet-connected cameras. The FTC complaint, which was settledjust a few weeks ago by consent order, alleged that TRENDnet’s practices failed to provide reasonable security “to prevent unauthorized access to sensitive information, namely the live feeds from the IP cameras.” And just in case this enforcement activity wasn’t enough of a signal of its interest in the IoT, the FTC presented a workshop on the IoT, Internet of Things – Privacy and Security in a Connected World, late last year as well.
So knowing that litigation and enforcement actions are possibly on the horizon, what does the IoT mean to the practicing information governance lawyer? Well, at a minimum, it means that there are vast stores of data that may not have previously been considered that are in the custody of our clients, our adversaries, or even third parties. It means that we need to be asking our clients new questions about the data they collect and maintain or that is collected and maintained on their behalves. It means we need to consider how that data is stored, secured, and accessed and whether our clients have policies and practices in place designed to protect that data either from a security breach or from spoliation in the event of litigation.
From an adversarial perspective, we need to think carefully about reverse-engineering the issues in our litigations to ensure that the discovery plan is tailored to obtain relevant data collected through IoT devices, whether that data resides with an adversary or a third-party in the cloud. And it means that the already overwhelming amount of data that we deal with in practice just got that much bigger. While it’s easy to panic over the explosion of data sources that could be subject to discovery, the starting point is always relevance, and a discovery plan that focuses first on what is likely to be relevant should go a long way to thinking practically about the IoT. Thus, strategic thinking about what data is truly needed for a case, targeting discovery to that data, and engaging in a robust and meaningful conferral process with opposing counsel or regulators is all the more vital. And, for a while at least, it may mean educating adversaries about the existence and nature of this data.
In sum, the IoT is the next front in e-discovery and will require bringing to bear all the sophistication acquired in a traditional e-discovery practice. In hindsight, e-discovery and data governance as it exists now, and which for many has involved a lengthy process of getting up to speed, will look like a mere training ground for what’s to come thanks in part to the IoT. And those who have not so far developed this expertise will be left irretrievably behind.