Federal Trade Commission Issues Staff Report on Internet of Things.
The Federal Trade Commission ("FTC") recently issued a report on the Internet of Things (“IoT Report”). The Internet of Things (“IoT”) refers to the ability of everyday objects (ranging from connected smoke detectors and light bulbs to wearable devices) to connect and exchange data with manufacturers, operators or other connected devices (“IoT Devices”). Experts estimate that by the end of 2015 there will be 25 billion IoT Devices and by 2020, that number will reach 50 billion.
Although IoT Devices offer many advantages — including ease and efficiency of use, receipt of useful targeted information and receipt of assistance in emergency situations — they also present increased risks to privacy and security, such as: (i) enabling unauthorized access to and misuse of personal information, (ii) creating risks to personal safety (iii) facilitating attacks on other systems, and (iv) privacy risks flowing from the collection of personal and sensitive information.
The IoT Report focuses on the principles of security, data minimization, notice and choice, and ways, in which use-based approaches can protect consumer privacy. The Report encourages all companies that develop, utilize and/or sell IoT Devices to adopt the following best practices:
- Security. Build security into IoT Devices at the outset of the design process, rather than as an afterthought. This process includes: (a) conducting a privacy or risk assessment; (b) proper training of employees, (c) retaining and providing reasonable oversight over outside service providers capable of maintaining reasonable security, (d) using multi-layered security to defend against particular risks, (e) testing security before launch; and (f) monitoring and patching products after release.
- Data Minimization. Consider options with respect to how to minimize data – that is, limiting the collection of consumer data, and retaining that information only for a set period of time, and not indefinitely.
- Notice and Choice. Notify consumers and give them choices about how their information will be used, particularly when the data collection is beyond consumers’ reasonable expectations, e.g., sharing such information with unaffiliated third parties for their own use.
With such an abundance of IoT Devices producing exabytes of consumer data, companies must rethink how they will store, organize, secure and leverage the information. Real-time processing and analysis will become the norm, and without an information governance infrastructure in place capable of handling large volumes of both structured and unstructured data, companies will not only fall behind; they will also unnecessarily increase their exposures (reputation and legal) to violating a user’s right to privacy. As a result, companies should seek advice and counsel to make certain that the right information governess steps are being taken and that these best practices are adequately put in place.