In advance of what will likely be a flood of interconnected devices to soon hit the market, the Federal Trade Commission (“FTC”) today announced the release of a new report on the Internet of Things (the “Report”). Focusing on privacy and security, the FTC makes several suggestions to companies developing Internet of Things devices that are marketed to consumers.
Highlights of the Report include the following:
- risk assessment: prior to and during development of a connected device, the FTC believes that companies should assess the risk that the device and its data could be compromised. Security protocols can then be tailored to minimize this risk.
- security by design: borrowing from the concept of “Privacy by Design“, the FTC indicates that connected products should be designed with security in mind from the outset and continuing through the design cycle process, rather than as an afterthought.
- culture: the FTC suggests fostering a culture of security within company personnel, including providing training for employees on best security practices.
- third-party providers: The Commission maintains that companies should envelop third-party vendors and providers into the company security practices to ensure continuity of those practices and associated policies.
- authentication: the Report recommends the implement reasonable security access controls to the consumer’s device.
- redundancy: even with authentication measures in place, the FTC recommends that companies employ multi-layered security protocols such that security measures cannot be defeated in one step.
- expiration dates: in recognizing that electronic devices have a limited lifecycle, the Commission argues that companies should plan for continued support during the life of a device, with forthright representations as to how long the device security will be supported.
- data minimizing: the Report suggests acquiring and retaining only data that is absolutely necessary for the device’s purpose and use. In the alternative, a company should establish reasonable data retention time limits. Regardless, the FTC suggests prominent disclosure to the customer about data collection and retention.
- de-identification: where large sets of data are stored, the FTC advocates de-identifying the data where possible to mitigate the risk of privacy violations in the event of a security breach.
- notice and choice: regardless of measures put in place to advance security and privacy, the FTC recommends prominently disclosing what data is collected and retained, as well as allowing customers to opt out as needed.
In the coming weeks, Norton Rose Fulbright will be exploring the unique security and privacy legal issues related to the Internet of Things. The FTC’s report is a good starting point for the conversation and debate that will ensue.