This blog post is for informational and educational purposes only. Any legal information provided in this post should not be relied upon as legal advice. It is not intended to create, and does not create, an attorney-client relationship and readers should not act upon the information presented without first seeking legal counsel.
What do baby video monitors, Nest® thermostats, Jawbones®, FitBits® and, perhaps shortly, police body cameras (here) have in common? They all send data, or may shortly send data, to cloud repositories over means that may not be secured and in which consumers have little knowledge, few choices and little reason to believe their data is private or secure.
All that may change shortly. Following pronouncements during the summer by Federal Trade Commission Chairwoman (“FTC”) Edith Ramirez on data security and privacy concerns as devices connected to the Internet (including cars, microwave ovens, thermostats and baby monitors) proliferate, the Federal Trade Commission has issued a Staff Report that raises many of the same data security concerns voiced months ago by the European Commission Article 29 Working Party of Data in its Working Document WP 223 entitled “Opinion 8/2014 on Recent Developments in the Internet of Things”. Those concerns are data security and privacy, data minimization, notice of privacy and security protections and consumer choice with regard to those protections. For once, Europe and the U.S. may be aligned in cyber security and privacy concerns in a way without much precedent, given how the U.S. government often views foreign laws and regulations. The FTC report actually cites the European Commission opinion.
Casting the Staff Report as a candle lit rather than a curse directed at the darkness, FTC Chairwoman Ramirez characterized the FTC’s actions as a potential marketing opportunity for the connected devices industry and its business partners such as cloud hosting providers. She said, in a statement reported by The New York Times, “Many of us are using these devices,” but “if consumers feel that their information isn’t being protected, they won’t have the confidence level to embrace them.”
The Staff Report on connected devices, often called the “Internet of Things,”(IoT) states that the Commission, at least for the moment, “encourages companies” to “build security into their devices, rather than as an afterthought,” by such processes as risk assessments, testing data retained and collected and taking steps to minimize that data.
The FTC has previously exercised enforcement jurisdiction in the IoT, and this Report indicates that it may be prepared to expand such activity. In 2014, the Commission settled a complaint about internet of things security issues, involving a child monitor whose security settings permitted anyone with the camera’s Internet address to view the house in which it was operating and any children inside.
The Report echoes some of the European Commission’s concerns by encouraging manufacturers to provide notice to consumers as to how data from the IoT devices are collected, stored and disclosed, and to provide consumers with choices as to how their data is managed. But perhaps the greatest concern in the Report was security. IoT security risks were grouped into three categories: safety risks, unauthorized access and “facilitating attacks on other systems.” Examples gleaned from participants’ comments at an F.T.C. workshop included utilization of a connected device to create a botnet for denial of service attacks. Perhaps more frightening was a comment by a participant who described an incident in which vulnerabilities in a system of connected insulin pumps allowed an attacker to gain access and change the medicine delivery settings.
Privacy, as has been stated many times, is enabled by security but it also is dependent upon transparency and choice. The F.T.C. observed in the Staff Report that 10,000 households using one IoT device “can generate up to 150,000,000 discrete data points per day.” Applying analytics, these data points can be used to assess behavior without the knowledge of the consumer as has already been done, according to the Report, by certain insurance companies with regard to driving habits and by employers who may look to data collected and transmitted by athletic activity trackers like FitBits® to determine whether to hire or retain an employee (is he or she a good health risk?). In this way, cloud hosting providers, if they store such information, may be implicated in F.T.C. proceedings, privacy litigation or employment discrimination litigation if they disclose device data hosted by the cloud service provider without consent.
As proposals for new legislation by Congress in the areas of privacy and cyber security are stalled, the FTC seeks to fill the vacuum by enforcement of existing regulations (deceptive trade practices proceedings where privacy and security practices don’t live up to published policies) and reports that may be the forerunner of new regulations for IoT devices and security.
By Kenneth N Rashbaum Esq.