Consumers are connecting more devices to the Internet than ever before. Experts forecast that up to 200 billion “smart” devices may be connected globally by 2020. With such growth in the Internet of Things (IoT), both data collection and sharing also increase, underscoring the importance of data security considerations.
In the U.S., the Federal Trade Commission (FTC) is the primary government enforcer with respect to business compliance concerning data security obligations. The FTC has the authority under the FTC Act to prohibit unfair or deceptive acts or practices in or affecting commerce. The FTC has interpreted this authority to extend to data security practices, which was affirmed by at least one federal appellate court. The FTC also has other specific data security-related rules within its arsenal, including those associated with certain financial services, credit-related information, and children’s data.
The FTC’s primary focus in the data security context is whether: (1) an entity misrepresented its data security practices or security controls (a “deception” claim), or (2) failed to implement or maintain “reasonable” and “appropriate” safeguards to secure personal information in a way that causes or is likely to cause substantial consumer injury, and such injury is not (a) outweighed by benefits to consumers and (b) reasonably avoidable by consumers (an “unfairness” claim).
The FTC has actively enforced these powers for more than a decade. And, in the last few years, the agency has focused on data security within the IoT industry in particular. Its first IoT action involved connected cameras and baby monitors with security flaws that allowed hackers to access and then post online the live private video and audio feeds of nearly 700 connected cameras. The second IoT action was brought against a company that allegedly failed to adequately secure its connected routers and “cloud” services and misrepresented the products’ security in advertising claims.
Although the FTC Act does not expressly state the specific security practices that companies must implement, the FTC’s more than 55 data security enforcement actions, numerous staff reports, business guidance, and public workshops (as well as the broader scope of FTC consumer protection law) provide helpful guidance.
The following highlights many of these “smart” security practices that businesses can use when designing, developing, launching, and marketing IoT and other connected devices.
- Build security into the design. Factor in security into the decision-making process from the beginning. Making conscious choices concerning the information collected, how long it is retained, and who can access it, can help reduce the risk of such data being compromised down the road.
- Knowing what data the device will collect and transmit will help to inform how such data should be secured. Entities should understand precisely what individual and device identifiers the device will collect and transmit, both intentionally and unintentionally, actively and passively, from and about users. This should be viewed in terms of whether such information could be considered personal to the user or identify the device or location. The FTC has taken a broad position on what may constitute personal information, such as: (1) a persistent identifier, such as a customer number held in a cookie, static IP address, or mobile device ID; (2) precise geolocation data; (3) an authentication credential, such as a username or password; and (4) photo, video, or audio files. Extra security considerations should be applied when developing a device that will collect sensitive consumer data, such as financial information, geolocation, or information collected about special populations like children or the elderly.
- Minimize or anonymize the data collected and retained. Companies should develop policies and practices that impose reasonable limits on the collection and retention of consumer data. For instance, maintaining only truncated credit card information, or anonymizing data maintained on the device or company’s network systems, can help to minimize exposure in the event of a security breach. Companies should minimize the data being collected to what is necessary for a business purpose or device functionality.
- Implement reasonable security measures to protect the data. What constitutes reasonable security for a given device will depend on a number of factors, including the amount and sensitivity of data collected and associated costs of remedying any vulnerabilities. Security measures also should go beyond simply safeguarding the device. Companies should implement reasonable administrative, technical, and physical safeguards at the company-level, based on its size, and the nature and scope of data collected. These controls, both at the device-level and by the company, should be tested and monitored pre-launch, on a periodic basis, and with respect to new updates and features that will be added to the device.
- Confirm any data security representations are accurate and supported. Companies should ensure that all representations concerning the security of the device, or how information is secured, are accurate, up-to-date, and substantiated. This can include representations in consumer-facing documents, such as privacy policies, customer agreements, product user guides, or advertising materials. The FTC often will look at these representations when determining whether a practice is deceptive.
- Appropriately supervise and monitor third parties. Develop a documented process for overseeing and monitoring third party service providers and business partners to ensure that any personal information shared with or maintained by such third party is appropriately secured. This can include executing agreements containing strong provisions requiring third parties to limit their use of such data, confirming appropriate information security safeguards, requiring the third party to provide notice of any known or suspected breach, and identifying their responsibilities and liability if such a breach should occur.
- Keep current on security trends and FTC actions. Companies should stay up to date, not only with the latest security software and hacking trends, but also the latest applicable developments at the FTC. Workshops and staff reports will provide insights into where the agency will focus next.
Conclusion
By implementing reasonable data security practices from the start, companies can boost consumer trust, and efficiently and proactively mitigate the potential and scope of a security breach. Those considerations also can help reduce potential legal and financial consequences.
[su_box title=”About Alysa Z. Hutnik and Crystal N. Skelton” style=”noise” box_color=”#336588″][short_info id=”67301″ desc=”true” all=”false”][/su_box]
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.