As a follow up to a workshop it hosted in November, 2013, the Federal Trade Commission (FTC) recently released a detailed report on the “Internet of Things,” (IoT) seeking to summarize the workshop and provide staff recommendations on the subject.
Broadly, the FTC refers to the IoT as “the ability of everyday objects to connect to the Internet and to send and receive data.” The FTC discusses what it sees are the benefits and risks of the IoT. Among the risks that the FTC sees from the IoT are: enabling unauthorized access and misuse of personal information; facilitating attacks on other systems; and creating risks to personal safety. To address those risks, the FTC suggested that at least four of the Fair Information Practice Principles (FIPPs) be applied to the IoT space. These are security, data minimization, notice and choice.
The FTC made several detailed recommendations for companies developing Internet of Things devices particularly in the area of security, including building security into devices at the outset, rather than as an afterthought in the design process; training employees about the importance of security, and ensure that security is managed at an appropriate level in the organization; ensuring that when outside service providers are hired, that those providers are capable of maintaining reasonable security, and provide reasonable oversight of the providers; using multiple layers of security to defend against a particular identified risk; using measures to keep unauthorized users from accessing a consumer’s device, data, or personal information stored on the network; and monitoring connected devices throughout their expected life cycle, and where feasible, provide security patches to cover known risks.
FTC Commissioner Maureen Ohlhausen issued a separate statement accompanying the report in which she concurred with the issuance of the report but objected to two of the staff’s recommendations. First, Ms. Ohlhausen stated she does not agree with the report’s recommendation for baseline privacy legislation, noting that such legislation is not needed because she questions “what current harms baseline privacy legislation would reach that the FTC’s existing authority cannot.” Second, she expressed concern about the report’s support for data minimization because “the report, without examining costs or benefits, encourages companies to delete valuable data.”
With the issuance of the FTC report, it is likely that the Commission will step up its enforcement activities in the area of IoT against IoT device companies that are perceived to not be living up to their privacy and security obligations. The report provides somewhat of a roadmap for companies to follow when building privacy and security protections into their IoT devices. Ms. Ohlhausen’s objections, however, would indicate that the Commission is not fully united about all issues in the IoT space, particularly with respect to data minimization. Going forward, the FTC’s actions against IoT companies will reveal which of the recommendations the Commission is going to emphasize, and whether companies will be scrutinized for collecting data beyond what is strictly required to deliver the service for which a consumer has purchased the IoT device.