What is the "Internet of Things?" It sounds like a philosophical question, but the FTC recently defined it as: "“things” such as devices or sensors – other than computers, smartphones, or tablets – that connect, communicate or transmit information with or between each other through the Internet."
At first glance, especially when one considers what is excepted out of this definition, this would not seem like a great universe of things. That is until you consider how many things we own and use that are continually connected to the internet: cameras that allow you to directly post pictures online, systems that turn on lights when you leave work, bracelets that share your workout information with the rest of the world, cloud-connected printers, medical devices that track utilization and/or vital signs for submission to health care providers; this list, and related risks, is growing exponentially. In fact there are more than 3.5 times the number of devices connected to the Internet (approximately 25,000,000,000) than people in the world (approximately 7,000,000,000). The number of connected devices will continue to grow as consumer goods companies, auto manufacturers, healthcare providers, and other businesses continue their heavy investment in connected devices.
Recognizing the benefits of these devices, along with the growing risks, on January 27, 2015 the FTC released the Internet of Things: Privacy and Security in a Connected World. In it, the FTC noted the many benefits of a more connected world, but also provided a series of "concrete steps that businesses can take to enhance and protect consumers’ privacy and security." To briefly summarize, per the FTC and its panel of experts, businesses developing Internet of Things devices should:
- Build security into devices at the outset, rather than as an afterthought in the design process
- Train employees about the importance of security, and ensure that security is managed at an appropriate level in the organization
- Ensure that when outside service providers are hired, that those providers are capable of maintaining reasonable security, and provide reasonable oversight of the providers
- When a security risk is identified, consider a “defense-in-depth” strategy whereby multiple layers of security may be used to defend against a particular risk
- Consider measures to keep unauthorized users from accessing a consumer’s device, data, or personal information stored on the network
- Monitor connected devices throughout their expected life cycle, and where feasible, provide security patches to cover known risks
In addition, the FTC counsels that businesses adopt policies of "data minimization – ... limiting the collection of consumer data, and retaining that information only for a set period of time, and not indefinitely." In the FTC's view, such policies will make companies with large amounts of consumer data less attractive targets for hacking and make it less likely that consumer data will be used for improper purposes. Moreover, when consumer data is used beyond a consumer's "reasonable expectations" the FTC counsels that consumer notices be provided.
Ominously, though it acknowledges that legislation related to the Internet of Things may be premature, the FTC notes that it has a
[R]ange of tools currently available to protect American consumers’ privacy related to the Internet of Things, including enforcement actions under laws such as the FTC Act, the Fair Credit Reporting Act, the Children’s Online Privacy Protection Act; developing consumer education and business guidance; participation in multi-stakeholder efforts; and advocacy to other agencies at the federal, state and local level.
Presumably, these tools will be implemented to punish those that engage in – and those who allow – among other things, unauthorized access or misuse of personal information obtained through a connected device; infiltration and destruction of networks (both wired and cloud-based); and, the hijacking of cameras and similar devices to violate an individual's privacy. And, unfortunately, the only thing that may keep pace with the growth of Internet of Things devices is the expanding number of lawsuits, enforcement actions, and complaints that will likely result from such incursions. Now that the FTC has issued its guidance, companies utilizing and producing connected devices should review their security measures, develop response plans, and engage in legal and operational risk management to address these data security issues. "Let the wild rumpus start!" (Maurice Sendak, Where the Wild Things Are, (1963)).