FTC Recommends Privacy and Data Security Protections for "Internet of Things"

Wilson Sonsini Goodrich & Rosati
Contact

On January 27, 2015, the Federal Trade Commission (FTC) released a staff report, "The Internet of Things: Privacy and Security in a Connected World,"1 setting out the staff's privacy and data security recommendations applicable to connected devices, objects, and sensors. The report follows a November 2013 workshop held by the FTC on this same topic, as well as public comments submitted following the workshop.2

The FTC staff defines the Internet of Things (IoT) as "'things' such as devices or sensors—other than computers, smartphones, or tablets—that connect, communicate, or transmit information with or between each other through the Internet." The guidance in the report is limited to devices used by consumers, and thus does not discuss devices sold in the business-to-business context. Some examples mentioned in the report include Internet-connected cameras, automobiles, home automation systems, smart TVs, and bracelets.

Potential Privacy and Security Risks of IoT

While acknowledging the substantial benefits made possible by connected devices, the staff report expressed concern over potential privacy and security risks. The report describes three possible security risks that were identified during the FTC workshop:

  1. IoT devices could be hacked and intruders could access and misuse personal information transmitted to or from the device.
  2. As consumers use more devices that connect together, a device with weak security could be used by a malicious third party to facilitate attacks on the other devices and networks to which it connects.
  3. Some IoT devices affect personal safety, such as providing healthcare or controlling automobile behavior. Unauthorized individuals manipulating such devices could cause physical injury.

The report also identified the privacy risks from potential data misuse when devices collect sensitive personal information or information about individuals' habits and preferences over time. In addition, the report includes recommendations in four areas: data security, data minimization, notice and choice, and federal legislation.

Data Security

In one of the FTC staff's most detailed efforts at data security guidance to date, the report encourages companies to consider adopting industry best practices for implementing reasonable security on IoT devices. The FTC staff states that reasonable security depends on several factors, including the amount and sensitivity of the data collected and the costs of remedying the security vulnerabilities. The report specifically recommends the following:

  • "Security by Design:" Building security into devices at the outset, conducting a privacy or security risk assessment, using security-friendly default settings, minimizing data collection and retention, and testing security measures before launching products
  • Awareness and Training: Addressing data security at the appropriate level of responsibility within the company and training all employees about good data security
  • Manage Service Providers: Selecting service providers that are capable of maintaining reasonable data security and implementing procedures to provide ongoing, reasonable oversight of service providers
  • Defense-in-Depth: Implementing a defense-in-depth security approach when there are significant security risks, using encryption for sensitive data, protecting data both in transit and in storage
  • Access Controls: Creating reasonable access controls to limit unauthorized access to the device, data, or consumers' network
  • Life Cycle Support: Monitoring products through their life cycle, and to the extent feasible, patching known vulnerabilities

Data Minimization

The report calls on companies to consider reasonably limiting their collection and retention of consumer data on or through IoT devices, despite the challenges such limitations would bring. The FTC staff considers larger data collections more attractive targets for data thieves, which they believe increases the probability of and potential harm to consumers from a breach. The staff also cautions that collecting and maintaining large amounts of data increases the risk that the data may be used by companies in a way inconsistent with consumers' reasonable expectations.

The report encourages companies to develop policies and procedures to limit the collection and retention of consumer data. It also suggests that the recommendation is flexible, permitting companies to not collect data at all, collect only data necessary for the product or service, collect only less-sensitive data, de-identify data, or obtain consumers' consent to the collection.

Two of the FTC's five commissioners—Commissioner Ohlhausen and Commissioner Wright—disagreed with this recommendation. Both felt that encouraging companies to delete valuable data to avoid hypothetical future harms without rigorously examining the costs or benefits of such recommendation was overly prescriptive3 or "simply not good enough."4 Given these viewpoints, it remains to be seen whether the FTC staff will engage in enforcement based on, or otherwise encourage implementation of, this recommendation.

Notice and Choice

While notice and choice have been the lynchpins of the privacy regime developed by the FTC, commentators have opined that notice and choice are not practical for many IoT devices, considering most of these devices do not have screens. Commentators have also suggested a use-based model for protecting the privacy of individuals, because requiring notice and choice could limit potential societal benefits from unexpected new uses of data. This same approach was proposed in the president's Big Data report.5 A use-based model would rely on identified data uses that are permitted or prohibited. The FTC staff made clear that its position is that the notice and choice framework "continues to be the most viable one for the IoT in the foreseeable future."

However, the report does not recommend implementing notice and choice options for every data use. Consistent with the FTC's 2012 Privacy Report, "Protecting Consumer Privacy in an Era of Consumer Change: Recommendations for Businesses and Policymakers,"6 the FTC staff states that data uses generally consistent with consumers' reasonable expectations do not require choice. The report also states that no consumer choice is necessary when data is de-identified immediately and effectively upon collection.

When choice is necessary, according to the FTC staff, companies could present choices at the point of sale, offer tutorials on device settings, provide an associated website to control settings, include privacy and security choices during setup wizards, use icons, or use email, text messages, or use other methods. The report states that such notice must be clear and prominent.

Although the FTC staff agrees that use-based restrictions, such as those already provided in the Fair Credit Reporting Act, are helpful, the staff nevertheless expresses concern that a use-based approach would not work without legislation, rules, or codes of conduct in place listing permitted and prohibited data uses. The report also notes that usage rules do not address concerns about the collection of massive amounts of sensitive personal information.

Federal Legislation

The FTC staff reiterates their support for "strong, flexible, and technology-neutral federal legislation to strengthen [the FTC's] existing data security enforcement tools and to provide notification to consumers when there is a security breach," though they did not support IoT-specific legislation at this time. Commissioners Ohlhausen and Wright, however, do not support the staff's recommendation for baseline federal privacy legislation without evidence that such legislation would actually benefit consumers.

The report states that, in the meantime, the FTC will continue to engage in law enforcement, education, multi-stakeholder groups, and advocacy "to ensure that IoT companies continue to consider security and privacy issues as they develop new devices."

Implications

While technically not law, FTC staff reports typically provide valuable insight into the enforcement priorities of the commission and the approach the staff will take in their investigations. Companies in the business of producing IoT devices should expect greater scrutiny with respect to their practices related to security, data minimization, and notice and choice. Implementing the report's recommendations may reduce a company's exposure to FTC-related risk.

IoT companies that operate in the EU should also consider recent guidance published by the European data protection regulators. EU guidance in this area recommends: obtaining users' freely given, specific, and informed consent to the processing of their personal data (which may include IP addresses or device identifiers); offering users granular choices about the categories of data that are collected, and the time and frequency at which data is collected; allowing users to disable the "smart" feature of their device and thus to stop the collection of data while still being able to use the device as the original, unconnected version; and limiting the data processing to purposes that are well-defined before the start of the data processing and to what is strictly necessary for those purposes. With this guidance, companies producing IoT devices for consumers in the EU may have additional privacy and security obligations.

1 The FTC's staff report on IoT is available at http://www.ftc.gov/system/files/documents/reports/federal-trade-commission-staff-report-november-2013-workshop-entitled-internet-things-privacy/150127iotrpt.pdf.

2 Commissioner Joshua D. Wright dissented to the report, arguing that staff should not make recommendations based only on a workshop and public comments. Rather, Commissioner Wright believes rigorous cost-benefit analyses must be performed prior to disseminating best practices and legislative recommendations. He states that the report "does not perform any actual analysis whatsoever to ensure that, or even to give a rough sense of the likelihood that the benefits of the staff's various proposals exceed their attendant costs." See Commissioner Wright's dissent at http://www.ftc.gov/system/files/documents/public_statements/620701/150127iotjdwstmt.pdf.

3 See Commissioner Maureen K. Ohlhausen's concurrence at http://www.ftc.gov/system/files/documents/public_statements/620691/150127iotmkostmt.pdf.

4 See Commissioner Wright's dissent at http://www.ftc.gov/system/files/documents/public_statements/620701/150127iotjdwstmt.pdf.

5 Executive Office of the President, Big Data: Seizing Opportunities, Preserving Values (2014), at 56, available at http://www.whitehouse.gov/sites/default/files/docs/big_data_privacy_report_5.1.14_final_print.pdf.

6 See our WSGR Alert discussing the Privacy Report at http://www.wsgr.com/WSGR/Display.aspx?SectionName=publications/PDFSearch/wsgralert-FTC-final-privacy-report.htm. The FTC's Privacy Report is available at http://ftc.gov/os/2012/03/120326privacyreport.pdf.

 

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Wilson Sonsini Goodrich & Rosati | Attorney Advertising

Written by:

Wilson Sonsini Goodrich & Rosati
Contact
more
less

Wilson Sonsini Goodrich & Rosati on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide