Out-Law News 4 min. read
29 Jan 2015, 1:08 pm
The Federal Trade Commission (FTC) has published a new report on the IoT entitled 'Privacy & Security in a Connected World' (71-page / 671KB PDF) in which it has set out a number of recommendations on what businesses innovating in the IoT era can do to win consumer trust. It follows a separate report from the UK's telecommunications regulator Ofcom earlier this week on IoT issues.
FTC chairwoman Edith Ramirez said: "The only way for the internet of things to reach its full potential for innovation is with the trust of American consumers. We believe that by adopting the best practices we’ve laid out, businesses will be better able to provide consumers the protections they want and allow the benefits of the internet of things to be fully realised."
The IoT is a catch-all phrase used to describe the increasing connections and associated data flows between devices. The term reflects advancements in technology such as smart grids in the energy industry, connected cars in manufacturing and the otherwise increasing connectivity of household items including fridges and thermostats.
"The privacy principles identified by the FTC appear broadly similar to those flagged by the Article 29 Working Party, the pan-EU privacy watchdog, in its IoT opinion last year - particularly around consumer notice and choice, security and data minimisation. This consistency should be welcomed," data protection law expert Kathryn Wynn of Pinsent Masons, the law firm behind Out-Law.com, said.
"However, there is not the same comprehensive legal framework on privacy in the US as there is in the EU, so the uncertainty for organisations that are subject to EU privacy law who wish to compete against US counterparts is whether the FTC will take as stringent an approach to enforcement as that taken by the EU data protection authorities," she said.
In its report, the regulator made recommendations relating to the notice and choice businesses should give consumers about data use in the IoT age. It also recommended that companies minimise the amount of personal data they collect from IoT devices to limit the "potential harms" associated with any data breach and reduce the risk that the data is used "in a way that departs from consumers’ reasonable expectations".
"Companies should examine their data practices and business needs and develop policies and practices that impose reasonable limits on the collection and retention of consumer data," the FTC report said. "Such an exercise is integral to a privacy-by-design approach and helps ensure that the company has given thought to its data collection practices on the front end by asking questions such as what types of data it is collecting, to what end, and how long it should be stored."
"The process of mindfully considering data collection and retention policies and engaging in a data minimisation exercise could also serve an education function for companies, while at the same time, protecting consumer privacy," it said.
The regulator said businesses should also review whether they need to retain data they collect from IoT devices in an identifiable form. However, it said it is "mindful of the need to balance future, beneficial uses of data with privacy protection" and has suggested a flexible framework for businesses to follow on data minimisation.
"[Companies] … can decide not to collect data at all; collect only the fields of data necessary to the product or service being offered; collect data that is less sensitive; or de-identify the data they collect," the FTC said. "If a company determines that none of these options work, it can seek consumers’ consent for collecting additional, unexpected data."
"In addition, in considering reasonable collection and retention limits, it is appropriate to consider the sensitivity of the data at issue: the more sensitive the data, the more harmful it could be if the data fell into the wrong hands or were used for purposes the consumer would not expect. Through this approach, a company can minimise its data collection, consistent with its business goals," it said.
The FTC said specific legislation to address IoT challenges is not required, but that it backs new "general technology-neutral data security legislation" that can protect against unauthorised access to both personal information and device functionality as well as "address risks to both personal information and device functionality" too. It also supports new US federal privacy laws.
"General privacy legislation that provides for greater transparency and choices could help both consumers and businesses by promoting trust in the burgeoning IoT marketplace," it said.
On security, the FTC advised businesses to implement "reasonable security" measures when developing IoT products, build security features into products during the design process and carry out privacy impact assessments.
It said what constitutes 'reasonable security' will differ on a case-by-case basis but that factors such as "the amount and sensitivity of data collected, the sensitivity of the device’s functionality, and the costs of remedying the security vulnerabilities" should influence the extent of the measures businesses should be put in place.
Businesses should prompt consumers to change default passwords on IoT devices, ensure product security is "addressed at the appropriate level of responsibility within the organisation", provide training on good security practices to staff and test security before products are launched to market, the FTC said.
It also called for businesses to ensure they have appropriate oversight of the security offered by service providers they contract with, to adopt a multi-layered approach to device security "for systems with significant risk", use "strong authentication" procedures to restrict device access, and patch security vulnerabilities as they become aware of them after product launch.