Internet of Things Risks Addressed by FTC

By Nickolas Milonas

The Federal Trade Commission recently released a detailed report on the “Internet of Things,” highlighting its view of the associated security risks and benefits of expanding connectivity. The FTC’s report, adopted over the dissent of Commissioner Wright, was based largely on an FTC workshop on the same topic back in 2013. The Internet of Things refers to the growing ecosystem of connected devices that are able to monitor and share information over the Internet. Connected devices include fitness trackers and other wearables, Internet-connected cameras, home automation systems, and connected vehicles. The FTC’s report estimates that by the end of this year, there will be over 25 billion connected devices, with over 50 billion by 2020.

While the report notes the current benefits and future possibilities of the Internet of Things, such as more efficient energy consumption through smart meters or real time monitoring of health issues through connected medical devices, the report also identified what the FTC sees as the growing consumer security and privacy concerns raised by this expanding ecosystem. In particular, the report posited various risks associated with (i) unauthorized access and misuse of personal information; (ii) facilitating attacks on other systems; and (iii) creating risks to personal safety. The FTC also noted that privacy risks may arise from the collection of data over time, including personal information, habits, locations, and physical conditions over time.

In efforts to address the concerns identified by the report, the FTC advanced serval recommendations regarding security, data minimization, and notice and choice.

Security. The FTC recommended that companies: (1) build security in their devices at the outset, as opposed to being reactionary; (2) train all employees on security best practices; (3) retain service providers with good security practices and maintain reasonable oversight over these providers; (4) implement redundancies and security measures at several levels; (5) implement reasonable access control measures to limit unauthorized access to a consumer’s device, data, or network; and (6) monitor products throughout the life cycle, deploying patches to known vulnerabilities.

Data Minimization. The FTC also encouraged companies to evaluate business needs to limit consumer data collection and retention. Companies may not collect data at all; collect only data necessary to the product or service; collect data that is less sensitive; or anonymize collected data. Otherwise, companies can seek consumer consent for collecting additional, unexpected categories of data.

Notice and Choice. The FTC suggested that if data collection and use is “consistent with the context of the interaction” (i.e., expected by the consumer), then an element of notice and choice may not be needed. However, if the data collection and use is “inconsistent with the context of the interaction (i.e., would not be expected by the consumer), then companies should offer clear and conspicuous notices.

In his dissenting statement, Commissioner Wright suggested the report needed more work because it was based on a single workshop and does “not shed much light on actual consumer preferences as revealed by conduct in the marketplace.”

Copyright © 2015, K&L Gates LLP. All Rights Reserved.