Written By: Kaleigh Fitzpatrick
On Tuesday, January 27, the Federal Trade Commission (FTC) called on technology companies selling Internet-connected devices to institute comprehensive measures to protect users’ data security and privacy. The report, entitled “Internet of Things: Privacy and Security in a Connected World,” urged companies to make data protection a top priority because connected devices present serious data security and privacy risks. These devices are interconnected via the Internet of Things, which allows everyday objects to connect to the Internet and to send and receive data. The Internet of Things (IoT) includes such connected devices as in-car sensors that can record vehicle location and speed, health and fitness monitors, and glucose monitors that can send information on diabetic patients to their doctors. Basically, the IoT includes any device or sensor, other than, computers, smartphones, or tablets that connect, store or transmit information with or between each other via the Internet. The use of IoT is rapidly expanding, as there are now over 25 billion connected devices in use worldwide, a number that is expected to reach 50 billion in just five years.
These devices bring technological advances that have huge potential benefits. However, these connected devices also raise numerous privacy and security concerns. The FTC states that its mission in releasing this report is to increase the trust of American consumers in integrating these devices into their everyday lives. The FTC is concerned that without the American consumer believing that their data is protected when using these devices, the Internet of Things will not reach its full potential for innovation.
The report includes the following recommendations for companies developing IoT devices: (1) build security into devices at the outset, rather than as an afterthought in the design process; (2) train employees about the importance of security, and ensure that security is managed at an appropriate level in the organization; (3) ensure that when outside service providers are hired, that those providers are capable of maintaining reasonable security, and provide reasonable oversight of the providers; (4) when a security risk is identified, consider a “defense-in-depth” strategy whereby multiple layers of security may be used to defend against a particular risk; (5) consider measures to keep unauthorized users from accessing a consumer’s device, data, or personal information stored on the network and; (6) monitor connected devices throughout their expected life cycle, and where feasible, provide security patches to cover known risks. Additionally, the FTC recommends that companies consider limiting the collection of consumer data, and retaining information only for a set period of time; not indefinitely.
This kind of data minimization addresses two key privacy risks. First, the risk that a company with a large store of consumer data will become a dangerous target for data thieves or hackers and second, that consumer data will be used in ways contrary to consumers’ expectations. The report takes a flexible approach to data minimization. Companies can choose to collect no data, data limited to the categories required to provide the service offered by the device, less sensitive data; or choose to de-identify the data collected. The FTC also recommends that companies notify consumers and give them choices about how their information will be used, particularly when the data collection is beyond consumers’ reasonable expectations.
The FTC concurs with many stakeholders that any IoT-specific legislation would be premature at this time given the rapidly evolving nature of the technology. The Commission points to existing legislation that can be enforced to protect consumer privacy including the FTC Act, the Fair Credit Reporting Act, and the Children’s Online Privacy Protection Act. In the past, the FTC has challenged poor data security practices under the FTC Act. Despite this consensus that specific IoT legislation would not be productive at this time, the Commission has encouraged Congress to enact a broader and more baseline federal consumer privacy law. Federal data security and breach notification legislation is critical because states currently have varying data security laws. These varied state-level laws present significant challenges for companies that operate across state borders to successfully abide by all of the differing laws. The results are unnecessarily burdened companies and wide-ranging protections for consumers depending on which state they live in. A single standard would provide companies with a single law to follow and would give consumers an expectation of what would happen if a breach occurred. In light of the lack of standardized legislation in this area, the FTC is actively utilizing other avenues to increase protections for consumers. The FTC has invested time and funding in policy research and development to better understand the existing technology and educating consumers and businesses about how to maximize benefits and reduce risks of this technology. Additionally, the FTC has utilized existing enforcement tools to protect consumers presently.
Although the report highlights the issues that the FTC intends to oversee and underscores best practices for companies, it still does not carry the weight of enforceable regulations. Despite this lack of enforceability, data security and privacy experts seem to believe that this report has the potential to increase protections at least with larger well-known technology companies, if only to reduce any business risk of federal investigations. In order to ensure the continued rapid growth in technological innovation and its associated benefits, the FTC is correct is stating that the trust of the American consumer is absolutely critical. Furthermore, the only way to gain that invaluable trust is to ensure the American consumer that their data is safe. However, it is not just the trust of the American people that should be the goal of data protection. A guarantee of data security is absolutely essential for the success of our society because if the American citizen’s data is inadequately protected, we will unfortunately be faced with bigger problems than just a halt in innovation.
Kaleigh is a Staff Member of the Journal of High Technology Law. She is currently a 2L at Suffolk Law. She holds a Combined Masters in Child Development and Urban/Environmental Policy and Planning and Bachelor of Arts from Tufts University.