Law.com Subscribers SAVE 30%

Call 855-808-4530 or email [email protected] to receive your discount on a new subscription.

Benefits and Risks of the Internet of Things

By L. Elise Dieterich
June 01, 2016

The buzz phrase “Internet of Things” is seemingly everywhere. What is it, what can it do for us, and what concerns does it present? More specifically, while the Internet of Things (IoT) presents tremendous opportunities for businesses, are there corresponding risks, or elements of the IoT that businesses should consider staying away from?

The answer to the benefits-versus-risks question is as simple ' and as complex ' as understanding the privacy and cybersecurity risks associated with any and all Internet-connected technology, be it your personal smartphone or an enterprise-wide software application hosted in the cloud. The IoT, because it connects and communicates via the Internet, is vulnerable to hacking and malware, the same as our e-mail and computers. IoT devices also present, however, specific benefits and risks that are important for every enterprise to understand.

What Is the IoT?

For starters, let's look at to what exactly the term IoT refers. Like many buzz phrases, it depends on the user.'A Google search serves up this definition: 'a proposed development of the Internet in which everyday objects have network connectivity, allowing them to send and receive data.' And indeed, most consumers interface with the IoT through connected devices such as wearable fitness trackers, connected televisions, or that 'puppy cam' connected to their smartphone. For businesses, though, a more nuanced definition is in order.

The U.S. Department of Commerce (DOC) recently offered this: 'IoT is the broad umbrella term that seeks to describe the connection of physical objects, infrastructure, and environments to various identifiers, sensors, networks, and/or computing capability. In practice, it also encompasses the applications and analytic capabilities driven by getting data from, and sending instructions to, newly-digitized devices and components.”

The Information Technology Laboratory at the National Institute of Standards and Technology (NIST), in a 2016 draft report released for public comment, posited that “the current Internet of Things (IoT) landscape presents itself as a mix of jargon, consumer products, and unrealistic predictions. There is no formal, analytic, or even descriptive set of the building blocks that govern the operation, trustworthiness, and lifecycle of IoT. This vacuum between the hype and the science, if a science exists, is evident.”'Thus, the NIST report proposes “a common vocabulary to foster a better understanding of IoT” that assumes the IoT will typically be comprised of, at a minimum, a sensor, an aggregator, a communication channel, an external utility (a software or hardware product or service), and a decision trigger. Id. at 15.

A mundane example of this is the FitBit, which senses information about the wearer's physical activity, aggregates that information over time, and communicates it to the wearer's smartphone or computer, where the wearer can evaluate and act on the information. Sensor-driven devices operating in the IoT framework are all around us and range from connected cars and smart TVs to industrial controllers, inventory trackers, and implanted medical devices with Wi-Fi built in.

A More Straightforward Explanation

At root, the IoT is fairly straightforward: my device senses something and uses the Internet to communicate with me about it. Things get more complicated, though, when we take account of the fact that most connected devices require an intermediary ' usually the hardware or software provider ' and that intermediary typically also has access to our information. The FAQ on the website for Nest, a Google subsidiary that sells home IoT devices such as smoke detectors, video cameras and thermostats, illustrates the access that an IoT device provider can have to sensitive data when it asks “[d]oes Nest know when I'm home or not?” and answers “yes.” Nest reassures its users, however, that “[i]f you want to be more literal about it, no one at Nest or Google spends the day looking at a screen tracking if you're home or not.”

With or without an intermediary, connected devices present unique vulnerabilities. A hacked “puppy cam,” for example, can give the hacker a view inside the owner's home. And whereas the risks to e-mail and computers revolve primarily around data loss or misappropriation, the very functionality of an IoT device is at risk. A staged hack that shut down a Jeep Cherokee while traveling on the highway at high speed gained huge visibility last year when an article describing the hack was published in Wired magazine.

Although hacking a car is a sophisticated exploit and likely not a routine danger, the fact that it could be done alarmed both consumers and regulators, and highlighted the risks the IoT poses. Wired exposed another frightening connected device vulnerability last year, when it reported hackers had been able to override the Wi-Fi-enabled aiming system on a rifle. And, regulators have expressed life-and-death concern about the risks to medical devices connected to the IoT. The Food and Drug Administration in 2014 issued medical device guidance that includes the following statement: “Failure to maintain cybersecurity can result in compromised device functionality, loss of data (medical or personal) availability or integrity, or exposure of other connected devices or networks to security threats. This in turn may have the potential to result in patient illness, injury, or death.” It has been reported that doctors disabled the IoT functionality of Vice President Dick Cheney's pacemaker while he was in office, for just that reason.

Is This a Real Problem?

How pervasive are these concerns? DOC reports that “by 2015 there were around 25 billion connected devices. Devices now outnumber people by 3.5 to 1.” Even more astounding, “[i]t is expected by 2020 there will be up to 200 billion connected devices ' .” DOC notes, further, that “thus far no U.S. government agency is taking a holistic, ecosystem-wide view that identifies opportunities and assesses risks across the digital economy,” although numerous regulatory agencies have addressed aspects of the IoT in some way.

To begin to remedy this lack of a holistic view, DOC published in the Federal Register on April 5, 2016, a request for public comments on “The Benefits, Challenges, and Potential Roles for the Government in Fostering the Advancement of the Internet of Things.” 81 Fed. Reg. 19956-19960.

The broad scope of the questions set forth in DOC's request for comments is indicative of the IoT's reach, touching on technology, infrastructure, policy, and international considerations, among others. With regard to the privacy and cybersecurity concerns raised by the IoT, the DOC request for comments notes that: “A growing dependence on embedded devices in all aspects of life raises questions about the confidentiality of personal data, the integrity of operations, and the availability and resiliency of critical services.” Id.

Your enterprise may currently be using the IoT for functions as diverse as encouraging employee wellness through a FitBit program, managing inventory using RFID tags, tracking the location of company vehicles using GPS, and improving products through automated feedback from connected software or hardware products. Indeed, your company may be using the IoT in ways you've never thought about ' for example, providing QR codes on your products that individuals scan with their smartphones to access information on your company's website. Or, your enterprise may proactively be creating and marketing to consumers products that feature IoT connectivity as a selling point. The benefits of participating in the IoT are myriad, and include convenience, better and more timely data, and higher levels of engagement. Nonetheless, in all these instances, there are important privacy and cybersecurity pitfalls to be avoided.

Privacy Concerns

On the privacy side, IoT device consumers ' be they individual or enterprise ' should insist on knowing: 1) what data the device is collecting; 2) what data is being shared, and with whom; and 3) how consumers can control data collection and sharing. Purveyors of connected devices should have answers to these questions at the ready, and clearly communicate their data collection, use, and disclosure practices in privacy policies that are easily accessible to consumers. Collecting and using consumer data without informed consent is generally a no-no that can result in significant penalties, not to mention liability in the event of a breach of consumers' information.

Cybersecurity Issues

On the cybersecurity side, the Federal Trade Commission (FTC) recently issued helpful guidance titled “Careful Connections: Building Security in the Internet of Things.” Here, the FTC recommends the following best practices for companies developing and selling IoT devices to consumers:

'

  • Encourage a culture of security at your company. Designate a senior executive who will be responsible for product security. Train your staff to recognize vulnerabilities and reward them when they speak up. If you work with service providers, clearly articulate in your contracts the high standards you demand from them.
  • Implement “security by design.” Rather than grafting security on as an afterthought, build it into your products or services at the outset of your planning process.
  • Implement a defense-in-depth approach that incorporates security measures at several levels. Walk through how consumers will use your product or service in a day-to-day setting to identify potential risks and possible security soft spots.
  • Take a risk-based approach. Unsure how to allocate your security resources? One effective method is to marshal them where the risk to sensitive information is the greatest. For example, if your device collects and transmits data, an important component of a risk-based approach is an up-to-date inventory of the kinds of information in your possession. An evolving inventory serves triple duty: It offers a baseline as your staff and product line change over time. It can come in handy for regulatory compliance. And it can help you allocate your data security resources to where they're needed most. Free frameworks are available from groups like the Computer Security Resource Center of the National Institute of Standards and Technology, or you may want to seek expert guidance.
  • Carefully consider the risks presented by the collection and retention of consumer information. If it's necessary for the functioning of your product or service, it's understandable that you'd collect data from consumers. But be sure to take reasonable steps to secure that information both when it's transmitted and when it's stored. However, it's unwise to collect or retain sensitive consumer data “just because.” Think of it another way: If you don't collect data in the first place, you don't have to go to the effort of securing it.
  • Default passwords quickly become widely known. Don't use them unless you require consumers to change the default during set-up.

'

Conclusion

For enterprise consumers of IoT devices, these best practices provide a template for due diligence questions to ask regarding'technology your company may be considering.

The goal of the enterprise participating in the IoT should be to maximize the benefits while minimizing the risk. Transparent and carefully tailored privacy practices, coupled with thoughtful and robust security measures, will go far toward achieving this goal.

Applying the FTC's guidance, the device provider's security culture should be such that the security of data collected by the IoT device is a primary consideration, baked into the design of the device, not an afterthought or an add-on. The device should collect no more data than is necessary for its functions,'and the device provider should be clear about who has access to the data, for what purposes, and for how long. Security settings should be readily accessible, user-friendly, and easy to apply. Users should set their own, complex passwords, and protect them. And, consumers of IoT devices should insist on robust security, and avoid devices that fail to provide it, or are unclear about their security practices.'

When incorporating IoT devices into critical functions (think of the car, rifle, and pacemaker examples) consider 'worst case' scenarios, and have a disaster recovery plan. With these measures, enterprises can partake of the IoT's benefits, without the risks keeping anyone up at night.


L. Elise Dieterich is a partner with Kutak Rock LLP and leader of the firm's privacy and data security practice in Washington, DC.

This premium content is locked for Entertainment Law & Finance subscribers only

  • Stay current on the latest information, rulings, regulations, and trends
  • Includes practical, must-have information on copyrights, royalties, AI, and more
  • Tap into expert guidance from top entertainment lawyers and experts

For enterprise-wide or corporate acess, please contact Customer Service at [email protected] or 877-256-2473

Read These Next
'Huguenot LLC v. Megalith Capital Group Fund I, L.P.': A Tutorial On Contract Liability for Real Estate Purchasers Image

In June 2024, the First Department decided Huguenot LLC v. Megalith Capital Group Fund I, L.P., which resolved a question of liability for a group of condominium apartment buyers and in so doing, touched on a wide range of issues about how contracts can obligate purchasers of real property.

Strategy vs. Tactics: Two Sides of a Difficult Coin Image

With each successive large-scale cyber attack, it is slowly becoming clear that ransomware attacks are targeting the critical infrastructure of the most powerful country on the planet. Understanding the strategy, and tactics of our opponents, as well as the strategy and the tactics we implement as a response are vital to victory.

CoStar Wins Injunction for Breach-of-Contract Damages In CRE Database Access Lawsuit Image

Latham & Watkins helped the largest U.S. commercial real estate research company prevail in a breach-of-contract dispute in District of Columbia federal court.

Fresh Filings Image

Notable recent court filings in entertainment law.

The Power of Your Inner Circle: Turning Friends and Social Contacts Into Business Allies Image

Practical strategies to explore doing business with friends and social contacts in a way that respects relationships and maximizes opportunities.