"The Internet of Things has truly become the Internet of EVERY Thing, where everything - from humans to agriculture to manufacturing to marketing - is connected..."
In an era of ever-evolving ‘wired’ technology, increasing interconnectedness, and business and personal concerns about data security, we recently asked attorneys writing on JD Supra: What will be among the defining issues of 2016 involving the Internet of Things (IoT)?
Here is what we heard back:
1. Security, Security, Security, Security, Security
From Simon McDonald, Special Counsel at K&L Gates: "One of the defining issues of 2016 with the Internet of Things will be the continuing challenges organizations will have in securing their devices and systems. As organizations rush to make their products or systems smarter, they need to adequately address the increased vulnerability presented by smarter devices to their data, systems, and networks. Increasingly, security flaws have been exposed in products such as toys, home appliances, cars, and industrial machinery. Particularly for organizations with an immature grasp of technology and communication networks, it highlights that potentially there is insufficient attention being paid to security.
Key considerations in the development or implementation of smart devices will be: (a) how devices, data, and networks are secured; and (b) what mechanisms will be used to update security (often in superseded devices) to counter changing security threats. Not only does insufficient focus on security potentially undermine confidence in these products and the associated industry but more significantly it enhances an unscrupulous individual's or organization's ability to engage in activities which threaten individuals, communities, or nations."
In 2016, we will likely see an increase in the FTC's IoT enforcement actions, as well as an increase in private privacy litigation...
Kathryn M. Rattigan, associate at Robinson & Cole: "Approximately one year ago, the Federal Trade Commission (FTC) released its Internet of Things: Privacy & Security in a Connected World report urging companies to implement best practices for consumers' privacy and data security, and shortly thereafter, introduced the new Office of Technology Research and Investigation unit to protect consumers from IoT failures. Since the FTC's release of its report, and the start of its new IoT unit, we have yet to see any enforcement actions against companies for their IoT failures. While the FTC's case against TRENDnet in 2013 is known as the first (and only) IoT action to date, in 2016, we will likely see an increase in the FTC's IoT enforcement actions, as well as an increase in private privacy litigation (in particular, a rise in class action plaintiffs) against IoT companies and manufacturers for failure to properly utilize the FTC's IoT privacy and security recommendations when these individuals attempt to claim losses and sue for damages related to IoT data breaches.
A new year's resolution for IoT companies and manufacturers? Maintain reasonable security measures, update your privacy policies, and freshen up on the requirements of the Fair Credit Reporting Act (FCRA) when using IoT data for credit, employment, insurance, or other types of eligibility."
H. Michael O'Brien, partner at Wilson Elser Moskowitz Edelman & Dicker: "Researchers and technology experts have forecast that the exponential growth of the Internet of Things (IoT) will follow Moore's Law, which will make embedding chips into almost everything economically viable and technically feasible. With this growth, the cracks in security with IoT-connected devices will become even more pronounced, especially as hackers begin to identify ways to monetize the vulnerabilities. There also will be growing concerns with software failures leading to unintended consequences, such as property damage and bodily injury, because of either software defects or deliberate actions taken by hackers. Litigation against companies deploying IoT technology will emerge in 2016 as a serious concern for business stakeholders. In 2015 there were at least three class action lawsuits brought against companies based on alleged vulnerabilities with IoT software."
Litigation against companies deploying IoT technology will emerge in 2016 as a serious concern for business stakeholders...
Shabbi Khan, associate at Foley & Lardner: "To increase adoption, IoT device manufacturers are constantly trying to reduce costs, which can result in manufacturing IoT devices with security vulnerabilities. A network, like the proverbial chain, is only as secure as its weakest link. As such, when inexpensive IoT devices with security vulnerabilities are deployed in existing networks, these IoT devices expose the networks to the same security vulnerabilities. Over the past few years, data breaches at Target, Home Depot, and other big retailers have generally been limited to data collection raising privacy concerns. In contrast, by breaching a network on which IoT devices are deployed, the impact of such a breach can have more serious consequences as these IoT devices can provide access to not only data but also to other physical objects, such as door locks, security cameras, and machinery. The risk of a security breach through IoT devices that introduce security vulnerabilities to a network raises many legal concerns. It would be prudent for IoT device manufacturers as well as service providers to reach out to legal counsel to discuss ways to contractually protect them from lawsuits arising due to security breaches via IoT devices."
Kelly Wilkins, partner at Snell & Wilmer: "Many IoT devices have known vulnerabilities and don't have security as an integral part of their design. IoT devices are actually mini-computers, tied to a network and running reasonably complex software. Recent examples of vulnerabilities are recording and storage of conversations in the cloud through a talking doll, terrorists communicating through gaming systems, and hackers taking control of a vehicle remotely and making it do whatever they wanted. A real danger of this area is that consumers don't yet think of these devices as security risks. A router, for example, is something that a consumer might buy every few years, set up as quickly as possible, and then forget about as it gathers dust in a corner of the home. Cybercrime is on a dramatic rise and there will be an increase in attack vectors through the Internet of Things."
Many IoT devices have known vulnerabilities and don't have security as an integral part of their design...
2. Voluntary Standards and Codes of Conduct (aka Self-Regulation)
Jeremy Meisinger, associate at Foley Hoag: "I think we are likely to see more industries, particularly emerging industries, coming together to consider forming voluntary standards or codes of conduct to impose some order on what is quite a sprawling landscape of potential liability. There is clearly keen interest from the Federal Trade Commission in the privacy challenges presented by new technologies and particularly by the Internet of Things. At the same time, given the number of new technologies and speed of technological change, the FTC cannot issue guidance or regulations to cover every context. I have written in the past, for example, about the privacy concerns presented by smart electrical meters, the data from which allows one to extrapolate a great deal about the lifestyle of a person. This led to a voluntary code of conduct developed in concert with the Department of Energy. I think you are going to see many companies in emerging industries evaluating whether it makes sense to undertake some self-regulation before something bad happens that invites harsher regulation."
And related, a look towards predicting and protecting against IoT-related liabilities:
Sulina Gabale, associate at Reed Smith: "The Internet of Things (IoT) is the language of the future; previously mundane objects are now sharing information and coordinating activities all around us. We've seen smart phones, smart cars, and even smart refrigerators; now developers are creating smart cities to integrate wireless networks that cater exclusively to smart devices for municipal and commercial purposes. IoT is infiltrating every industry and brings with it evolving legal challenges, from cybersecurity of medical devices in health care to behavioral tracking across devices in advertising. As developers become increasingly imaginative in this space, it is integral that legal practitioners be equally as imaginative in order to predict and protect against potential liability stemming from the proliferation of IoT."
IoT is infiltrating every industry and brings with it evolving legal challenges, from cybersecurity of medical devices in health care to behavioral tracking across devices in advertising.
3. A Focus on Data Management and Info Governance
Ellen S. Pyle, Discovery Counsel at McDermott Will & Emery: "We will continue to see enormous growth in the Internet of Things with upwards of 6 billion connected data-collecting machines, devices, applications, and sensors connected to each other and the Internet. This growth will bring commensurate data management challenges as the data will be increasingly varied, including everything from biometrics and other personal data, to geolocation, vibration, motion, and temperature. We will see an increased understanding that the Internet of Things has truly become the Internet of EVERY Thing, where everything - from humans to agriculture to manufacturing to marketing - is connected through a vast spider web of intertwined networks.
...data - whether on its own, or combined with other data points - will often be discoverable.
The expansion of data volume, and its increasing variety, will carry serious implications for corporations, requiring vigilant monitoring and control through comprehensive information governance strategy. The expansion will also have litigation and regulatory implications, as this data - whether on its own, or combined with other data points - will often be discoverable. Corporations will continue to seek out technology and data-savvy counsel to help them manage these increasing data sets in a manner proportionate to the litigation or investigation at hand.”