The FTC has issued a staff
report on the “Internet of Things,” recommending businesses take concrete steps
to enhance and protect the privacy and security of consumers. The report entitled Internet of Things: Privacy & Security in a Connected World (http://www.ftc.gov/reports/federal-trade-commission-staff-report-november-2013-workshop-entitled-internet-things) provides a look at the FTC’s expectations for consumer
data privacy and security for internet connected products. While the report does not have the force of
law, it does provide insight of the FTC’s minimum expectations should a data
breach or other FTC Act violation occur.
For purposes of the report, the
FTC defined the “Internet of Things” as being devices (other than computers,
smart phones or tablets) that connect or transmit information with or between
each other through the internet. For
instance, the Internet of Things would include devices with imbedded
intelligence like smart appliances and medical devices. The report expressly excludes business to
business products.
RECOMMENDATIONS:
· Companies developing Internet of Things (“IoT”)
products should implement reasonable security. As noted by the FTC Staff, reasonable
security is not a one size fits all proposition and should take into account a
number of factors, including: the amount and sensitivity of the data collected,
the sensitivity of the device’s functionality, and the costs of remedying the
security vulnerabilities. At a minimum,
however:
·
Companies should
build security into their devices at the outset and not as an afterthought;
·
Companies should
do privacy or security risk assessments;
·
Companies should
consider how to minimize the data they collect and retain, only collecting and
retaining the minimum necessary;
·
Companies should
insure their service providers are capable of maintaining reasonable security;
·
For systems with
significant risk, companies should implement a defense-in-depth approach with
security measures at several levels; and
·
Companies should
continue to monitor products through their life cycle, patch known
vulnerabilities, and clearly represent the extent to which they will provide
ongoing security updates and software patches.
· Companies should examine their data practices and
business needs and engage in data minimization.
The FTC noted that engaging in data minimization helps safe guard
against the potential harms caused by a data breach, making products less
attractive to data thieves and making it less likely the data will be used in a
way that is inconsistent with the consumer’s expectations. At a minimum:
·
Companies should
develop policies and practices that impose reasonable limit on the collection
and retention of consumer data;
·
Companies should
establish reasonable retention limits for the data collected; and
·
Companies should
also consider whether they can collect and maintain data in a de-identified
form and maintain up to date with technological developments to insure the data
is no re-identified and require the same of their third party vendors.
· The FTC continued to emphasize that companies should
provide consumers with notice and choice as
to what data will be collected, particularly if data would be used in a way the
consumer would not expect. While the FTC
staff recognized the practical difficulties of providing choice where there is
no consumer interface (for instance, smart appliances), they provided several examples
of how notice can be provided to a consumer, including the use of icons, set up
menus, and affixed barcodes that when scanned, would take the consumer to a
website enabling consumers to make choices through the website interface.