The Internet of Things

For starters, what exactly does the term IoT refer to? Like many buzz phrases, it depends on the user. A Google search serves up this definition: “a proposed development of the Internet in which everyday objects have network connectivity, allowing them to send and receive data.” And indeed, most consumers interface with the IoT through connected devices such as wearable fitness trackers, connected televisions, or that “puppy cam” connected to their smartphones. For businesses, though, a more nuanced definition is in order.

The U.S. Department of Commerce (DOC) recently offered this: “IoT is the broad umbrella term that seeks to describe the connection of physical objects, infrastructure, and environments to various identifiers, sensors, networks, and/or computing capability. In practice, it also encompasses the applications and analytic capabilities driven by getting data from, and sending instructions to, newly-digitized devices and components.”

The Information Technology Laboratory at the National Institute of Standards and Technology (NIST), in a 2016 draft report released for public comment, posited that “the current Internet of Things (IoT) landscape presents itself as a mix of jargon, consumer products, and unrealistic predictions. There is no formal, analytic, or even descriptive set of the building blocks that govern the operation, trustworthiness, and lifecycle of IoT. This vacuum between the hype and the science, if a science exists, is evident.” See http://1.usa.gov/28IoHv4, at 1. Thus, the NIST report proposes “a common vocabulary to foster a better understanding of IoT” that assumes the IoT will typically be comprised of, at a minimum, a sensor, an aggregator, a communication channel, an external utility (a software or hardware product or service), and a decision trigger. Id. at 15.

A mundane example of this is the FitBit, which senses information about the wearer's physical activity, aggregates that information over time, and communicates it to the wearer's smartphone or computer, where the wearer can evaluate and act on the information. Sensor-driven devices operating in the IoT framework are all around us and range from connected cars and smart TVs to industrial controllers, inventory trackers and implanted medical devices with Wi-Fi built in.

A More Straightforward Explanation

At its root, the IoT is fairly straightforward ' my device senses something and uses the Internet to communicate with me about it. Things get more complicated, though, when we take account of the fact that most connected devices require an intermediary, usually the hardware or software provider, and that intermediary typically also has access to our information. This FAQ on the website for Nest, a Google subsidiary that sells home IoT devices such as smoke detectors, video cameras, and thermostats, illustrates the access that an IoT device provider can have to sensitive data when it asks, “[d]oes Nest know when I'm home or not?” and answers yes: “Our products can detect when someone's there, and we use information like this to make our products more thoughtful.” Nest reassures its users, however, that “[i]f you want to be more literal about it, no one at Nest or Google spends the day looking at a screen tracking if you're home or not.”

With or without an intermediary, connected devices present unique vulnerabilities. A hacked “puppy cam,” for example, can give the hacker a view inside the owner's home. And whereas the risks to e-mail and computers revolve primarily around data loss or misappropriation, the very functionality of an IoT device is at risk. A staged hack that shut down a Jeep Cherokee while traveling on the highway at high speed gained huge visibility last year when an article describing the hack was published in Wired magazine. See http://bit.ly/28IrFyv.

Although hacking a car is a sophisticated exploit and likely not a routine danger, the fact that it could be done alarmed both consumers and regulators, and highlighted the risks the IoT poses. Wired exposed another frightening connected device vulnerability last year, when it reported that hackers had been able to override the Wi-Fi-enabled aiming system on a rifle. See http://bit.ly/28Jj4wf. And, regulators have expressed life-and-death concerns about the risks to medical devices connected to the IoT. The Food and Drug Administration (FDA) in 2014 issued medical device guidance that includes the following statement: “Failure to maintain cybersecurity can result in compromised device functionality, loss of data (medical or personal) availability or integrity, or exposure of other connected devices or networks to security threats. This in turn may have the potential to result in patient illness, injury, or death.” http://1.usa.gov/28JbFAe, at 3. It has been reported that doctors disabled the IoT functionality of former Vice President Dick Cheney's pacemaker while he was in office, for just that reason. http://wapo.st/28JwIAU.

Is This a Real Problem?

How pervasive are these concerns? The DOC reports that “by 2015 there were around 25 billion connected devices. Devices now outnumber people by 3.5 to 1.” Even more astounding, “[i]t is expected by 2020 there will be up to 200 billion connected devices ' .” The DOC notes, further, that “thus far no U.S. government agency is taking a holistic, ecosystem-wide view that identifies opportunities and assesses risks across the digital economy,” although numerous regulatory agencies have addressed aspects of the IoT in some way.

To begin to remedy this lack of a holistic view, the DOC published in the Federal Register on April 6, 2016, a request for public comments on “The Benefits, Challenges, and Potential Roles for the Government in Fostering the Advancement of the Internet of Things.” 81 Fed. Reg. 19956-19960; http://1.usa.gov/28JioeL.

The broad scope of the questions set forth in the DOC's request for comments is indicative of the IoT's reach, touching on technology, infrastructure, policy, and international considerations, among others. With regard to the privacy and cybersecurity concerns raised by the IoT, the DOC request for comments notes that: “A growing dependence on embedded devices in all aspects of life raises questions about the confidentiality of personal data, the integrity of operations, and the availability and resiliency of critical services.” Id.

Your enterprise may currently be using the IoT for functions as diverse as encouraging employee wellness through a FitBit program, managing inventory using RFID tags, tracking the location of company vehicles using GPS, and improving products through automated feedback from connected software or hardware products. Indeed, your company may be using the IoT in ways you've never thought about ' for example, providing QR codes on your products that individuals scan with their smartphones to access information on your company's website. Or, your enterprise may proactively be creating and marketing to consumers products that feature IoT connectivity as a selling point. The benefits of participating in the IoT are myriad, and include convenience, better and more timely data, and higher levels of engagement. Nonetheless, in all these instances, there are important privacy and cybersecurity pitfalls to be avoided.

Privacy Concerns

On the privacy side, IoT device consumers ' be they individual consumers, or enterprise consumers ' should insist on knowing: 1) what data the device is collecting; 2) what data is being shared and with whom; and 3) how consumers can control data collection and sharing. Purveyors of connected devices should have answers to these questions at the ready, and clearly communicate their data collection, use, and disclosure practices in privacy policies that are easily accessible to consumers. Collecting and using consumer data without informed consent is generally a no-no that can result in significant penalties, not to mention liability in the event of a breach of consumers' information.

Cybersecurity Issues

On the cybersecurity side, the Federal Trade Commission (FTC) recently issued helpful guidance titled “Careful Connections: Building Security in the Internet of Things.” http://1.usa.gov/28JcjxC. Here, the FTC recommends the following best practices, quoted here, for companies developing and selling IoT devices to consumers:

Encourage a culture of security at your company. Designate a senior executive who will be responsible for product security. Train your staff to recognize vulnerabilities and reward them when they speak up. If you work with service providers, clearly articulate in your contracts the high standards you demand from them.

Implement “security by design.” Rather than grafting security on as an afterthought, build it into your products or services at the outset of your planning process.

Implement a defense-in-depth approach that incorporates security measures at several levels. Walk through how consumers will use your product or service in a day-to-day setting to identify potential risks and possible security soft spots.

Take a risk-based approach. Unsure how to allocate your security resources? One effective method is to marshal them where the risk to sensitive information is the greatest. For example, if your device collects and transmits data, an important component of a risk-based approach is an up-to-date inventory of the kinds of information in your possession. An evolving inventory serves triple duty: It offers a baseline as your staff and product line change over time. It can come in handy for regulatory compliance. And it can help you allocate your data security resources to where they're needed most. Free frameworks are available from groups like the Computer Security Resource Center of the National Institute of Standards and Technology, or you may want to seek expert guidance.

Carefully consider the risks presented by the collection and retention of consumer information. If it's necessary for the functioning of your product or service, it's understandable that you'd collect data from consumers. But be sure to take reasonable steps to secure that information both when it's transmitted and when it's stored. However, it's unwise to collect or retain sensitive consumer data “just because.” Think of it another way: If you don't collect data in the first place, you don't have to go to the effort of securing it.

Default passwords quickly become widely known. Don't use them unless you require consumers to change the default during set-up.

Conclusion

For enterprise consumers of IoT devices, these best practices provide a template for due diligence questions to ask regarding technology your company may be considering.

The goal of the enterprise participating in the IoT should be to maximize the benefits while minimizing the risk. Transparent and carefully tailored privacy practices, coupled with thoughtful and robust security measures, will go far toward achieving this goal.

Applying the FTC's guidance, the device provider's security culture should be such that the security of data collected by the IoT device is a primary consideration, baked into the design of the device, not an afterthought or an add-on. The device should collect no more data than is necessary to its functions, and the device provider should be clear about who has access to the data, for what purposes, and for how long. Security settings should be readily accessible, user-friendly, and easy to apply. Users should set their own, complex passwords, and protect them. And, consumers of IoT devices should insist on robust security, and avoid devices that fail to provide it, or are unclear about their security practices.

When incorporating IoT devices into critical functions (think of the car, rifle, and pacemaker examples) consider “worst-case” scenarios, and have a disaster recovery plan. With these measures, enterprises can partake of the IoT's benefits, without the risks keeping anyone up at night.

L. Elise Dieterich is a partner with Kutak Rock LLP and a member of this newsletter's Board of Editors.