The Internet of Things is revolutionizing how we work and live by connecting everyday electronic devices to the Internet and one and other. Commonplace IoT products today include everything from fitness trackers, pacemakers, thermostats, and home security systems to industrial applications that make cities, transportation, and manufacturing more efficient through use of sensors, automation, and the Internet. IoT presents both tremendous opportunity and challenges as companies face a changing legal landscape and must balance innovation with trust, particularly in the areas of privacy and data security. A proactive approach and candid assessment of both opportunity and risk throughout the product lifecycle will be key to long-term success as companies continue to bring new IoT products and services to market, utilize the data they collect and store, and support the products over time through end of life.
The Opportunity
The explosive growth of IoT is showing no signs of slowing down. There are projected to be more than 20 billion connected devices in the U.S. by 2020.[1] Industry leaders are taking notice, offering products and services to accelerate digital transformation with a data-driven approach in consumer and industrial applications. As just one example, Microsoft announced recently it will be investing $5 billion into IoT over the next four years, with a goal of giving “every customer the ability to transform their businesses, and the world at large, with connected solutions.”[2]
The Challenges
As new IoT products emerge and face first-of-their-kind legal and regulatory issues, companies are making business and legal decisions that will impact industry for years to come. Business leaders seek to foster innovation and speed to market while faced with real-time decisions about how to put users first and minimize unacceptable privacy and data security risks. These decisions are only going to increase in number and import over time as IoT technology and use cases evolve. This begs the question of how to best chart a course for success that balances speed to market and digital transformation with trust and safety.
For example, how should a company strike the right balance of speed to market and protecting users’ personal information collected and used as part of an IoT product or service? Some products may rely on aggregate or otherwise de-identified user data that appear to present low risks if the data is stolen or misused. Other products may collect and use sensitive personal information, but do so to improve low-priced products or services for the benefit of users. While the benefits may serve users, questions of consent from the users to collect and use their data, ownership of data, and outcomes in the event of a data breach or misuse increase risk and responsibility for companies that could be catastrophic depending on the nature of the incident, the impact on product functionality, and sensitivity of the data.
Another important challenge is how best to consistently meet user expectations of privacy and data security when the baseline for those expectations and government regulations are evolving. Consider, for example, the impact of the European Data Protection Regulation on IoT. Referred to as GDPR, this new regulatory framework took effect in May 2018 in an effort to harmonize data privacy laws across Europe with far-reaching effects worldwide.[3] GDPR is a comprehensive law empowering individuals to control the collection and use of their personal data. GDPR replaces existing data protection laws throughout Europe, with possible fines for noncompliance of up to the greater of €20 million or 4 percent of organizations’ worldwide annual gross revenue. This is in addition to existing U.S. state and federal laws governing user privacy and data security, including the Federal Trade Commission Act and state consumer protection and privacy breach notification laws, which may require companies to change their business practices or in some instances pay civil penalties for law violations. Consider also that according to the Cisco 2018 Annual Cybersecurity Report, adversaries are taking malware to unprecedented levels of sophistication and impact, and at the same time becoming more adept at evasion and misusing cloud services and other technology intended for legitimate use.[4] Likewise, in its most recent annual Data Breach Investigations Report, Verizon reported over 53,000 incidents and 2,216 confirmed data breaches in 2018 alone.[5] While it is no surprise that regulation and calls for accountability are increasing as risks affecting IoT rise, much of the responsibility to anticipate and mitigate novel and emerging privacy and data security harms falls on companies that sell or support IoT products.
Companies also face ethical questions about unanticipated uses of products or the data they collect. For instance, how should companies distinguish between viable business opportunities and unacceptable privacy or data security risks to individuals or society generally? Industry leaders are grappling with precisely this issue. As one example, earlier this month Google announced seven principles to guide its work as a leader in artificial intelligence, recognizing “that such powerful technology raises equally powerful questions about its use.”[6] Among the seven principles is recognition that “[m]any technologies have multiple uses” and a pledge to work to limit potentially harmful or abusive applications.[7] Another recent example is the use of DNA analysis from a popular free online genealogy database to locate a suspect in the infamous unsolved “Golden State Killer” cases in California.[8] While the database used was an open platform (as compared to other companies that provide DNA analysis services on closed platforms), one can imagine ways in which IoT generated data about individuals could be sought for unanticipated law enforcement purposes and present a host of complex legal and ethical questions about proper use of evidence to incriminate.
Fostering Innovation in IoT and Building Trust
Tackling these issues in a risk-based, business-specific way will help build trust and provide value. The key is to ask the right questions at the outset and continue listening. Analyze and understand what data will be collected, from whom, whether the sources can be re-identified and under what circumstances, how the data will be stored and used, and what type of notice to users or consent is appropriate under the circumstances. Developing and updating easy to understand and truthful disclosures about privacy and data security provide are also part of the process and help foster trust. Behind the scenes, secure sensitive data consistent with best practices and regulations on an ongoing basis and document those steps in a manner that will demonstrate compliance should legal or regulatory issues arise. Updating software and providing security patches in a timely and comprehensive manner provides another layer of protection and further fosters trust.
While there is no single answer to these thought-provoking questions, a proactive approach can help companies take full advantage of the opportunities IoT presents and adapt to a constantly changing landscape. Companies can drive these efforts by ensuring that IoT products are designed for security, safety, and privacy.
About the Author
Kristin J. Madigan is a counsel in Crowell & Moring’s San Francisco office and a member of the firm’s Litigation and Privacy & Cybersecurity groups. Kristin focuses her practice on representing clients in high-stakes commercial litigation, privacy and consumer protection matters, and complex technology disputes and counseling involving new technologies such as the Internet of Things (IoT), artificial intelligence, blockchain, and distributed ledgers.
Notes
[1] IoT devices will outnumber the world’s population this year for the first time, ZDNet, Feb. 7, 2017, available at https://www.zdnet.com/article/iot-devices-will-outnumber-the-worlds-population-this-year-for-the-first-time/; Leading the IoT, Gartner, available at https://www.gartner.com/imagesrv/books/iot/iotEbook_digital.pdf.
[2] Microsoft will invest $5 billion in IoT. Here’s why. Apr 4, 2018, Julia White, CVP Microsoft Azure, available at https://blogs.microsoft.com/iot/2018/04/04/microsoft-will-invest-5-billion-in-iot-heres-why/.
[3] REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
[4] Cisco 2018 Annual Cybersecurity Report, available at https://www.cisco.com/c/en/us/products/security/security-reports.html.
[5] Verizon 2018 Data Breach Investigations Report, available at https://www.cisco.com/c/en/us/products/security/security-reports.html.
[6] AI at Google: our principles, published June 7, 2018, available at https://www.blog.google/topics/ai/ai-principles/.
[7] AI at Google: our principles, published June 7, 2018, available at https://www.blog.google/topics/ai/ai-principles/.
[8] The Golden State Killer Is Tracked Through a Thicket of DNA, and Experts Shudder, New York Times, Apr. 27, 2018, available at https://www.nytimes.com/2018/04/27/health/dna-privacy-golden-state-killer-genealogy.html.