The Internet of Things Brings Legal Gotchas to CIOs
By Stephanie Overby, CIO | August 21st, 2014
CIOs must think through privacy, compliance and other legal issues before unleashing armies of sensors.
CIOs have big ideas for marketing and customer experience using sensors and analytics.
But what IT leaders might not be thinking about yet are the legal ramifications of a growing network of physical objects accessed through the Internet and connected to the corporate network.
“Many of the legal issues are not well understood even by sophisticated privacy practitioners,” says Christopher Wolf, a partner at the law firm Hogan Lovells. “In the world of sensors rather than computer screens, the legal issues are challenging.”
The Federal Trade Commission last September took its first action against an Internet of Things manufacturer. TRENDnet, which marketed its Internet-connected cameras for home security and other uses, settled with the FTC over faulty software that left its cameras vulnerable to online viewing and listening. Legal issues are destined to multiply as the Internet of Things market grows. Cisco has predicted the 10 billion connected devices that existed in 2010 will balloon to more than 50 billion in 2020.
Analysts watching these developments advise CIOs to consider self-regulating on issues of privacy, security and consent, to stay on the right side of the evolving law.
Tech leaders may assume they can anonymize data to protect an individual’s privacy. But researchers have shown that many large data sets can be re-identified with less effort than one might assume, says Scott Peppet, professor of law at the University of Colorado. Location data, for example, may be easily reconstructed.
“This suggests that CIOs should really be looking at the data they’re tracking and storing, and asking whether those data are absolutely necessary to their business model or to improving the user experience,” Peppet says. “If not, think twice before hoarding huge amounts of potentially very sensitive, and very revealing, data.”
Groups like the Future of Privacy Forum are examining de-identification to provide clarity for regulators, says Wolf, who founded the think tank. “The greater the protections against re-identification, the better insulated an entity will be from enforcement under privacy laws and principles.”
Many Internet-connected devices have limited computing capability, connectivity or battery power, and their designers may not be accustomed to addressing network security issues the way a large enterprise does. “If you make ovens or cars, network security may not be your thing,” says Peppet. Once security flaws are identified, it may be difficult to update and protect these devices. Most do not have auto-update mechanisms due to bandwidth and power constraints and will require manual patching.
CIOs should think about when and how they will ask individuals to provide meaningful consent for the use of this data, he adds. That means providing clear notice of what data is accessed, how it is analyzed and used, where it is stored, how it is encrypted and under what circumstances it will be disclosed. It’s particularly challenging to address consent for a product without a screen or for connectivity that the consumer may not be aware exists, he says.
“It’s difficult for consumers to really understand the data practices behind these devices, and similarly hard to argue that [they] are providing valid consent,” he says.