The recently released Federal Trade Commission staff report, Internet of Things: Privacy & Security in a Connected World, provides companies with insight into the FTC's consumer privacy and data security expectations for the quickly growing market of Internet-connected products, commonly called the Internet of Things (IoT). The report summarizes the FTC's 2013 IoT workshop and discusses some of the challenges businesses face in collecting consumer information through this emerging market.
The IoT refers to "devices or sensors—other than computers, smartphones, or tablets—that connect, communicate, or transmit information with or between each other through the Internet." These "devices or sensors" include medical devices that physicians use to treat patients' illnesses and smart appliances that monitor energy usage. Given the FTC's mission to protect consumers, the report does not discuss IoT devices sold in a business-to-business (B2B) context; however, the report's recommendations would apply to B2B devices if they collect information about consumers, or collect information that can be combined with other available information to reflect on or provide insight about consumers.
The FTC is the second federal agency in recent days to issue guidance on the IoT. Earlier this month, the U.S. Department of Energy released its Voluntary Code of Conduct (VCC) for smart grid enabled technologies. While designed for utilities and third parties using energy grid information, the VCC, like the FTC's report, focuses on ensuring that consumers are informed of companies' information collection practices and that consumer information is protected.
The FTC report recommends that companies adopt reasonable security practices, minimize their data collection efforts, and provide consumers with notice and choice about what data IoT devices collect.
Reasonable security depends on a number of factors, including the amount and sensitivity of data collected and the costs of remedying security vulnerabilities. The FTC staff recommends a "security by design" approach that assesses the privacy and security risks of a product, both at the design stage and throughout the IoT device's life cycle. Security should be designed into IoT products. Companies collecting and retaining sensitive information, such as health data, should implement greater security protections and encrypt data both in storage and in transit. Employee training and proper vendor management are also key elements in any security plan. Companies should explain clearly to consumers if and how security updates are handled. An FTC companion report, Careful Connections: Building Security in the Internet of Things, provides additional details on these security recommendations.
The report advocates data minimization—limiting what data is collected and retained and disposing of it once it is no longer needed—as both a security precaution and a privacy protection. The FTC staff is concerned that maintaining large troves of consumer data could make a company a target for criminals and could increase the risk that the company will use the data "in a way that departs from consumers' reasonable expectations." If a company finds it needs to collect and retain large amounts of data, sensitive or not, the FTC suggests it consider maintaining the data in a way that protects consumer privacy.
Notice and Choice
The report acknowledges that providing consumers with notice and choice about the type of data an IoT device collects can be challenging because of the ubiquity of data collection and the practical obstacles to providing information without a user interface. Nonetheless, the FTC staff believes that notice and choice remain important, particularly if information is to be used in a way that the consumer would not expect. The report suggests a number of alternative strategies a company may adopt to alert consumers to its data practices, such as notification at the point of sale or during setup. Whatever approaches are chosen by a company, notification should be clearly and prominently disclosed and not be buried in lengthy documents.
While concluding that IoT-specific legislation would be premature and may stifle innovation at this early stage of development, the FTC staff reiterated the agency’s previous recommendation for Congress to enact strong, flexible, and technology-neutral data security legislation and broad-based privacy legislation. In the interim, the report affirmed that the FTC will continue to use its existing powers to ensure that IoT companies consider security and privacy issues as they develop new devices.
Although the FTC best practices do not have the force of law, they provide businesses with insight into regulators' expectations for how consumer data is collected and used, and highlight the issues the FTC will focus on in future actions. Companies (including utilities) should regularly assess how their information and security practices compare with regulators' expectations, especially when launching IoT-enabled devices and services.