Internet of Things: Continued Regulatory Focus and Consistent Themes, But Not Without Discord
By Mary-Elizabeth M. Hadley
A program yesterday at Georgetown Law offered a number of governmental and private perspectives on current and future legal trends related to the Internet of Things (“IoT”), i.e., the ability of everyday objects to connect to the Internet and to send and receive data.
The program highlighted the tremendous variety of uses associated with the IoT, ranging from casual entertainment to opportunities to improve health and safety and save money.
Although the nascent nature of the IoT space was a recurring theme, panelists from the Federal Trade Commission (“FTC” or the “Commission”), Microsoft, and the Senate Committee on Commerce, Science and Transportation offered some useful insights for companies going forward.
FTC Continues to Encourage Companies to Implement Reasonable Security Measures: Echoing the guidance provided by the Commission in itsJanuary 2015 Staff Report on the IoT, Cora Tung Han, a senior attorney in the FTC’s Division of Privacy and Identity Protection, emphasized that companies should adopt reasonable security measures – a flexible standard that varies based on the amount and type of data collected.
Security by Design: Ms. Han explained that companies should consider building in processes, such as risk assessments, and working to create a culture of security, including by encouraging employees to speak up. Additional appropriate actions may include monitoring products throughout their life cycles and patching any known vulnerabilities.
Data Minimization: Ms. Han reiterated the importance of data minimization – the concept that companies should limit the data they collect and retain, and dispose of it when they no longer need it – but noted that it was a flexible concept. Businesses should recognize that the more data collected, the higher the chance it will be (i) hacked or (ii) used in a way that departs from consumers’ reasonable expectations.
Enforcement: Noting that the FTC has brought more than 50 data security actions, Ms. Han cited the TRENDnet settlement as an example of the Commission’s commitment to holding companies accountable in the IoT context. There, the FTC alleged that product descriptions for TRENDnet’s SecurView cameras, used for home security and baby monitoring, claimed that they were “secure.” In fact, the cameras had faulty software that left them open to online viewing. Under the settlement, TRENDnet was prohibited from misrepresenting the security of its cameras and was required to establish a comprehensive information security program designed to address security risks.
A Contrary View: Peter Feldman, Majority Counsel to the Senate Committee on Commerce, Science and Transportation, questioned the extent to which the FTC’s prior consent orders provide guidance for other companies, emphasizing the case-specific nature of the TRENDnet action and similar settlements.
Although “security by design” may be an interesting catch phrase, Mr. Feldman challenged its ability to be implemented in practice. He questioned, for example, what it means for a fledgling company starting out in someone’s garage, likely lacking the resources to have a privacy team.
Data minimization may also prove challenging, according to Mr. Feldman, given the importance of data to new start-ups and their limited knowledge of the ultimate uses for that data.
For Mr. Feldman, it is important to avoid the unintended consequence of stifling innovation.
Mr. Feldman’s comments echo those of FTC Commissioner Joshua D. Wright in hisDissenting Statementto the FTC’s IoT Report and reflect an emerging theme among opponents, particularly Republicans, of the FTC’s increasingly active approach to regulating privacy and data security. According to Commissioner Wright, “[t]o the extent concepts such as security by design or data minimization are endorsed at any cost – or without regard to whether the marginal cost of a particular decision exceeds its marginal benefits – then application of these principles will result in greater compliance costs without countervailing benefit. Such costs will be passed on to consumers in the form of higher prices or less useful products, as well as potentially deter competition and innovation among firms participating in the Internet of Things.”
Varying Global Standards: Alonzo Barber, an attorney at Microsoft, emphasized the challenges global companies face in complying with a spectrum of countries’ laws, noting that it can be difficult to navigate the minefield of varying requirements.
Additional complications arise as companies such as Microsoft work to incorporate their developed software and practices into new technologies, working with start-up companies that are just beginning to consider privacy and data security.
As numerous panelists noted, the IoT is likely to continue expanding at a frenzied pace. As technology evolves, the FTC, Congress and private companies such as Microsoft will all likely remain key players in shaping how the IoT impacts consumers, businesses and governments.
Caveat Vendor is Paul Hastings’ Consumer Issues blog. We welcome your feedback. Please contact our blog editor with any thoughts or suggestions.