The FTC and Big Law weighed in on the ups and downs of IoT for security, privacy and consumers at New York Law School.
Imagine life without your smartphone. While some may say they can live without it, consider this: In the U.S. alone, Americans collectively look at their smartphones around 8 billion times a day, found a 2015 study by Deloitte. When accounting for all age groups, that checks out to 46 times per day, per person.
These smartphones are just one of many devices encompassing the ” Internet of Things ” (IoT). These devices are web-enabled and can “communicate” with one another—from the tablet where you check your email to the Amazon Echo that plays any song you might want to hear at any given moment, the devices making consumers’ lives easier, faster and more connected are already leaving massive fires to be put out by legal.
But why, when it comes to law, is there chaos around IoT ? As FTC Commissioner Terrell McSweeny noted in a Feb. 3 event at New York Law School, there are “no shortage of questions” around IoT devices. Titled “Exploring the Things in the Internet of Things: Implications on Business, Consumers, and the Law,” McSweeny used the event to elaborate on “what it’s like for a 100-year-old consumer protection agency to protect consumers in a digital world,” in which everything “from lightbulbs to toothbrushes” can be interconnected.
That interconnectivity is multiplying, McSweeny noted—a 2015 study by Juniper Research estimated that the number of IoT devices to be in existence by 2020 will be about 38 billion. At present, she said there are “twice as many connected devices as people on the planet.”
“We have really, literally never seen such a rapid change in such a short period of time, on so many fronts, as we’re experiencing today,” she added.
And while users continue to adopt these devices, consumers and regulators have many concerns over privacy and cybersecurity that remain unanswered. One FTC concern from a report on IoT devices was that many consumers might not have been provided with “adequate security notices” regarding personal information gathering and consumer tracking, McSweeny said. An example of this recently played out in a settlement between the FTC and New Jersey Division of Consumer Affairs with the smart TV manufacturer and retailer Vizio. The FTC had alleged Vizio’s smart televisions were illegally tracking the watching habits of viewers.
Cybersecurity is also concerning, especially as more devices are connected to the internet. As Hogan Lovells partner Trey Habury previously told LTN , “As we move into a world where IoT has manifested itself in the world of auto vehicles and drones, hacking starts to have real-world consequences.”
While the idea of a hacker overtaking a drone or vehicle and wreaking havoc on roadways might seem sensational, consider the ubiquity of hacks—a 2015 survey by Duke University and CFO Magazine found that, among companies with fewer than 1,000 employees, 85 percent were hacked. Meanwhile, 60 percent of “larger” companies reported hacks. In August 2016, it was revealed that the credentials of more than 500 million Yahoo users were leaked .
On the consumer level, McSweeny said 1 in 5 households have experienced identity theft, a figure that might explain why security confidence is “relatively low” in the U.S. Further, citing data accrued for an FTC report, McSweeny explained that over half of consumers said they were less likely to use online services because of privacy concerns, which might hinder the adoption of IoT devices.
“This will be a growing consumer protection problem in the future,” she added.
The FTC has taken enforcement protection against companies for not adequately securing their devices, and McSweeny recommended that companies start building their tools with security in mind. Among these recommendations were questioning whether data actually needs to be stored; ensuring sensitive information is stored securely; training employees and watching for vulnerabilities as they rise; and requiring password authentication.
“These are basic steps,” she said, “but time and again I see cases where these basic steps haven’t even been followed.”
The security issues that may arise from such oversights may be exacerbated in the startup arena. James Koening, Paul Hastings’ privacy and cyber implementation solutions group leader, noted at the event that startups, in the pursuit to build things up and “make them come to life,” often take a less formal approach to security and legal concerns. Instead, they opt to “launch [their product], see what happens, and then [address] the security.”
“The challenge that you face is you’ve got a rapidly evolving series of technology,” added Peter McLaughlin, counsel at DLA Piper. The task for those in the IoT space, therefore, is “how to manage all of this data that’s going to be used in all sorts of different ways.”