The Internet of Things (IOT) raises legal and regulatory challenges, mainly in the area of privacy and security.
Speaking on two panels in the Bay Area, Michael reflected on the big issues including:
- Who owns the data
- Cybersecurity – “anytime you connect something to the Internet, you open it up to an attack”
- Hacking (botnets, thingbots)
- Vulnerability to being redeployed for other purposes
- Are there privacy policies for IOT? What privacy protections exist? What can the devices learn about you that you want to keep private?
- Do HIPAA breach notification laws apply? How do consumers find out about a breach?
- Control – refrigerator could stop ordering you cheesecake if it feels you’re too fat
- Liability – who is liable if the sensors or communications malfunction and transmit wrong information?
“Imagine a world where an electric utility company can tell what movie you are watching just from reading your electricity usage. Or your Internet-connected toaster can tell when you’re on vacation and when you’re home. Or FitBit can tell when you’re having sex.” Danny Vinik, How to regulate something that barely even exists yet, Politico.
Big market players in IOT will include:
- Self-driving cars (reduce accidents)
- Smart meters on household devices
- Home health care and hospital care
The Senate Committee on Commerce, Science and Transportation recently held a hearing as to whether IOT requires stronger privacy and security protections. The bill resolves that the US should “incentivize the development of the Internet of Things … to maximize the promise connected technologies hold to empower consumers….”
Current IOT regulation:
Current IOT regulation includes:
FTC (regulates truth-in-advertising)
- Takes enforcement action against violators
- FTC Report on IOT (1/27/15)
- Data Security: companies should
- build security into devices at the outset
- train employees about security
- ensure that outside providers maintain security
- identify security risks and have a “defense in depth” strategy with multiple layers of security
- prevent unauthorized access, monitor devices, and provide security patches
- Data Minimization (companies should not collect more data than necessary—i.e., no data, limited data, or de-identified data)
- Notice and Choice (let consumers choose what data to share, and notify them regarding breaches)
FDA (regulates medical devices) – for example, hacking of wireless medical devices
- Low-risk, general wellness device guidance (removes some devices from definition of medical devices)
- Mobile medical app guidance (removes some apps from definition of medical devices; provides for enforcement discretion for many apps)
- FAA (driverless drones)
- NHTSA (driverless cars)
- Energy Department (smart grid technologies that track household energy usage)
- EPA (network sensors that monitor pollutants)
- NIST (standards governing technology)
Issues with regulation: “Government operates in silos…. The IOT It is a freewheeling system of integrated objects and networks, growing horizontally, destroying barriers so that people and systems that never previously communicated now can. Already, apps on a smartphone can log health information, control your energy use and communicate with your car — a set of functions that crosses jurisdictions of at least four different government agencies.” Darren Samuelson, What Washington really knows about the Internet of Things (Politico)
IOT is a game-changer. We can try to apply existing regulatory frameworks to IOT, but with the thingification of reality, things might just get ahead of us.