IoT and Connected Devices: Before Rushing In, Be Mindful of the Risks

If your business manufactures or uses a connected device or simply collects and stores user data, it may be exposed to legal liability.  Despite the transformative effects of such Internet of Things (“IoT”) technologies, the reality is that IoT will increase your business risk – know its sources and manage it.

What is IoT?

IoT is a concept that has existed for decades.  However, due to deep declines in the cost of sensors, computing and related technologies, IoT is now influencing the physical world in transformative ways.  To start, IoT describes a ubiquitous connection of devices or objects (“things”) that can be monitored, controlled or interacted with by Internet-connected electronic devices, allowing people to interact seamlessly with both the digital and physical world.  IoT centers on machine-to-machine communications and the idea that more information (i.e., data) leads to a deeper understanding of the physical world.  In turn, this deeper understanding creates greater value for the end-user.  On a small scale, IoT includes wearable technologies that, in real-time, allow a user to track how far she has run and to share this information with friends.  IoT technology also includes an array of conveniences in home automation and security.  For example, when a homeowner pulls into his driveway, IoT can automatically open the garage door, turn on lights inside the home, and disable the home security system.  On a much larger scale, IoT will maximize efficiencies in the way that cities consume power, manage traffic, and prepare for natural disasters.  Experts at Cisco and Ericsson estimate that there will be 50 billion connected devices by 2020.  Moreover, the McKinsey Global Institute values the IoT market somewhere between $3.9 trillion and $11 trillion by 2025.

Despite the countless opportunities that IoT presents, businesses should be wary of its major legal concerns: the capture and use of consumer data, and cybersecurity threats.  Further, businesses should have actionable plans for the governance and protection of consumers’ personally identifiable information.

Whose Data is it?

When things are always on – as is the case with IoT – data is continuously shared.  And although IoT creates new opportunities to solve existing problems, it raises new issues between private citizens and businesses operating in the digital space.  At present, there is much debate over the ownership of data that consumers disclose while using products and services: Do consumers retain ownership over their personal data or do businesses take ownership over such disclosures?  Consumer disclosures are often a necessary component of the utility of products and services.  These disclosures also aid the improvement to such products and services, thereby creating long-term benefits for the consumer.  Businesses that take care in drafting their terms and conditions contract for rights in these consumer disclosures.

Still, businesses must consider consumer privacy laws and the ethical concerns of collecting and storing consumers’ personal data.  Broadly, the FTC enforces consumer protection laws that protect consumers against unfair methods of competition or deceptive acts or practices.  But businesses should also be cognizant of the applicable regulatory frameworks for the industries in which they operate.  For instance, the Communications Act, as amended, and the FCC impose additional requirements for telecommunications carriers’ use of consumer information.  In addition, state laws and regulations may impose added responsibilities.  Also, U.S. companies that engage in cross-border data flows should be aware of additional data transfer laws and data sovereignty issues.  Similarly, ethical concerns for data privacy often arise out of the representations that businesses make concerning their use of data or the overbroad bulk collection of data, where either instance exceeds consumers’ reasonable expectations.  In recent proceedings, the FTC has brought enforcement actions against technology companies like Snapchat, Yelp, Google, and Facebook for violating their user privacy agreements.  There, the FTC found the companies to have deceived consumers over the amount of personal data the companies collected and made misrepresentations on how certain products or product features actually worked.

Businesses should always provide notice and obtain consent before collecting consumer information, and they must market truthfully and ensure their public commitments match actual practices for the collection, scope, retention, expressed purpose, and confidentiality of data.  Further, businesses should also be aware that private actions concerning the ownership of consumer data could arise in a number of ways – privacy, contract, or tort.

Legal Effects Remain Uncertain

Although connected products and services may amplify products liability concerns, cybersecurity must also be addressed.  It is clear that product and service providers who do not meet reasonable expectations in the cybersecurity of their product and service offerings will face liability.  But these requirements are still imprecise, as regulators have abstained from creating formal rules and have instead decided matters on a case-by-case basis.  For example, in separate proceedings, the FTC brought enforcement actions against Wyndham Hotels and Resorts and IP-camera maker Trendnet, alleging that the companies engaged in deceptive and unfair acts because of their failure to take reasonable security measures.  In both cases, the FTC alleged, among other things, that the companies unreasonably and unnecessarily exposed consumers’ personal data to unauthorized access and theft, because they stored personally identifiable consumer data in clear readable text and failed to use readily available security measures, like firewalls or software that would secure data transmissions.  Further, the FTC alleged that neither company regularly tested or monitored the security of its network.  Both cases carry twenty year settlement obligations.  In another case, the FCC held companies YourTel and TerraCom jointly and severally liable for fines totaling $10 million due to poor data security practices, where the companies stored personally identifiable consumer data online, without firewalls, encryption or password protection.  More recently, the Consumer Financial Protection Bureau fined financial-technology firm Dwolla for misrepresentations made concerning its data security practices.  Notably, in this case no data breach actually occurred.

Still, the effect of law becomes even more unpredictable when we begin to use existing technologies in disruptive ways that touch multiple industries.  For example, the advent of a “digital wallet” has created gaps, overlaps and ambiguities in applicable payments laws.     In the face of such ambiguity, many businesses unwittingly take on extreme risk as they add connectivity to products, introducing poorly designed, vulnerable hardware or software to the marketplace.

Businesses should build products with safety in mind to address cybersecurity concerns, designing their products or services around the possibility of hacks or breaks in the communication chain.  They should regularly monitor and update the security of their products and services as needed.  One of the greatest benefits of IoT is that updates, or patches, can be pushed from the manufacturer directly to the consumer without consumer involvement, which is not only convenient for the consumer, but also limits the business’s prolonged exposure to liability.  Even if a business does not offer ongoing support, it should notify consumers of security risks and available updates.  Larger businesses may want to implement bug bounty programs, which provide recognition or compensation to individuals that report bugs or find system vulnerabilities.

Take Time to Contract Thoroughly with Corporate Partners

Does your business collect or share data with corporate partners absent a formal contract?  Businesses should appreciate the danger for potential liability as the number of stakeholders who play a part in the value chain increases.  The Target and Home Depot data breaches occurring in December 2013 and September 2014, respectively, provide retail examples of the importance of security practices among corporate partners and finding a balance in the amount of access afforded to vendors.  In both instances, point-of-sale systems were compromised when third-party vendor credentials were stolen for back office systems.

Along with internal security measures, businesses should look to standardize security across the many stakeholders involved in their distribution chain.  If security cannot be standardized, businesses should work only with service providers who are capable of maintaining adequate security over the data for which they are responsible.  When contracting with corporate partners, a business should implement strong indemnity provisions that protect it against damages caused by the other party.  Further, businesses should maintain licensing and supply agreements between them and their corporate partners that clearly define: the scope of the data collected; the ownership of such data; the custodian of the data; the acceptable uses for the data; whether any third-parties will have access to the data; how to determine liability in the event of a breach; the side of the point of demarcation on which responsibilities lie; and how compliance will be verified.

Plan for a Breach before It Occurs

Lastly, businesses should have actionable plans for the governance and protection of data that contains consumers’ personally identifiable information.  Many companies maintain information of a wide scope under a false impression that more data is always more valuable.  But collecting and retaining large stores of information can actually make it more difficult for companies to realize a breach has occurred.

Businesses should follow these tips: limit the scope of data collected; do not retain data for longer than needed; anonymize data where possible; and be reasonable in the disposal of confidential documents.  Further, businesses that are custodians of large amounts of data that contain personally identifiable information should maintain cyber risk insurance.  Cyber risk insurance policies generally indemnify first party and third party losses that result from disruption to the company’s own network, data breaches of personally identifiable information, cyber extortion, and media liability.  (For a more in depth discussion on insurance coverage, be sure to read Michael Stewart’s post, “Insurance for Technology Businesses: Are You Covered?”)

Managing the Risks

As businesses release innovative products and services, they are faced with policymakers’ unclear expectations for security practices and uncertain applications of existing legal standards.  Businesses can reduce their legal exposure by marketing truthfully; knowing the consumer protection and data security laws and regulations that govern their industry; creating comprehensive data security programs that are verified through regularly scheduled audits; using reasonable security measures and addressing failures or opportunities for breach before a system is compromised; and having a plan in place to deal with a breach, including knowledge of the requirements for reporting it.

Friend, Hudak & Harris, LLP is at the forefront of inspecting and assessing the potential impact of IoT across a number of industries. This leaves us well positioned to guide clients through varied complexities, helping them to avoid or reduce technology related risks.

Joel Thomas
About the author:
Joel Thomas, Associate
Joel is a member of the FH2 telecommunications practice group, representing clients in state, federal and local regulatory, legislative and public policy matters. Before starting his legal career, Joel clerked at the Federal Communications Commission in the Cybersecurity and Communications Reliability Division and Policy and Licensing Division. For more information about Joel, Click Here.

The above article is intended for information purposes only. It is not intended to constitute legal advice or the provision of legal services, and such material is not guaranteed to be complete, correct, or up-to-date. The services of a competent professional should be sought if legal or other specific expert assistance is required – you should not act or rely on information in this article without seeking the advice of a lawyer. Transmission of the information and material herein is not intended to create, and receipt does not constitute, an agreement to create an attorney-client relationship with Friend, Hudak & Harris, LLP or any member thereof.