In the future, everything will be connected.
That future is almost here.
Over a year ago, the Federal Trade Commission held an Internet of Thingsworkshop and it has finally issued a report summarizing comments and recommendations that came out of that conclave.
As in the case of the HITECH Act’s attempt to increase public confidence in electronic health records by ramping up privacy and security protections for health data, the IoT report — and an accompanying publication with recommendations to industry regarding taking a risk-based approach to development, adhering to industry best practices (encryption, authentication, etc.) — seeks to increase the public’s confidence, but is doing it the FTC way: no actual rules, just guidance that can be used later by the FTC in enforcement cases. The FTC can take action against an entity that engages in unfair or deceptive business practices, but such practices are defined by case law (administrative and judicial), not regulations, thus creating the U.S. Supreme Court and pornography conundrum — I can’t define it, but I know it when I see it (see Justice Stewart’s timeless concurring opinion in Jacobellis v. Ohio).
To anyone actively involved in data privacy and security, the recommendations seem frighteningly basic:
–build security into devices at the outset, rather than as an afterthought in the design process;
– train employees about the importance of security, and ensure that security is managed at an appropriate level in the organization;
– ensure that when outside service providers are hired, that those providers are capable of maintaining reasonable security, and provide reasonable oversight of the providers;
– when a security risk is identified, consider a “defense-in-depth” strategy whereby multiple layers of security may be used to defend against a particular risk;
–consider measures to keep unauthorized users from accessing a consumer’s device, data, or personal information stored on the network;
–monitor connected devices throughout their expected life cycle, and where feasible, provide security patches to cover known risks.
–consider data minimization – that is, limiting the collection of consumer data, and retaining that information only for a set period of time, and not indefinitely;
– notify consumers and give them choices about how their information will be used, particularly when the data collection is beyond consumers’ reasonable expectations.