This post first appeared on Risk Management Magazine. Read the original article.
According to a January 2017 forecast from Gartner, 8.4 billion internet of things items will be in use worldwide this year—a 31% increase from 2016—to the tune of almost $2 trillion in annual spending on devices and services. As companies create these interactive items, most of which can track consumers, the Federal Trade Commission (FTC)—the government agency with primary responsibility for protecting the privacy and security of consumer data—is watching.
In a recent report, the FTC cited “enabling unauthorized access and misuse of personal information” as its top area of concern regarding the internet of things. Not long before the FTC issued its June 2017 IoT analysis, consumer electronics company Vizio found out first-hand about the commission’s regulatory priorities. In February, Vizio settled a complaint by the FTC and New Jersey attorney general’s office claiming it had installed software on about 11 million smart TVs and used it to secretly track customers’ detailed viewing habits from 2014 to 2016. The complaint alleges that Vizio then linked that data with specific household demographics and sold the information to third-party marketers—all without customers’ consent. Vizio ultimately had to destroy all the data collected during that time and pay $2.2 million to settle the suit.
A class action litigation followed for Vizio, making the company one of the many to find itself defending such litigation in the IoT space. For example, a recent federal lawsuit claims Bose has been tracking the listening habits of customers who use its connected headphones and selling the information to a third party, all without providing notice in its privacy policy or getting consent from users. Another class action against Samsung claims the company’s smart TVs have been spying on consumers by secretly recording their private conversations.
Any risk manager who does not want their company to land in similar legal hot water should pay close attention to these words: “without the consent of their consumers.” IoT cases are often brought as unfair or deceptive practices cases by the FTC, state attorneys general and class action lawyers, all of whom claim that the defendant did not properly notify the consumer that it was collecting data or how it would use or share that data.
Perhaps even more importantly, in the age of IoT, consumer trust is critical. If people cannot trust internet-enabled devices with their data, IoT investments will fail to deliver the return on investment that companies are chasing. In a recent Accenture survey of consumers, almost half of respondents said they were concerned about privacy and security, and that concern contributed to their reluctance to purchase IoT devices. If companies do not treat privacy compliance as a key component of corporate risk management, they not only risk monetary penalties and legal consequences, but they may also squander their IoT investments with bad PR and consumers who resist purchases out of fear and a lack of trust.
Despite the high stakes of privacy compliance, companies are not taking the risks seriously. In AT&T’s Cybersecurity Insights Report, which surveyed more than 5,000 enterprises around the world, 85% of respondents said they are either in the process of deploying IoT devices or they intend to. Only 10% of those respondents are confident that they would be able to secure those devices against hackers.
The onus is on risk management professionals, along with privacy, security and legal teams, to ensure that these risks are addressed. Unfortunately, when it comes to data privacy and security regulation in the United States, there is not necessarily a single or absolute set of rules, although the FTC is working to solidify its positions and recommendations on IoT compliance.
As the law in this area evolves, organizations can establish safeguards against IoT risks with a set of best practices:
1. Determine who is responsible for IoT privacy compliance.
When companies end up neck-deep in litigation, it is often not because anyone at the organization intended to do harm. Instead, something fell through the cracks. When launching an IoT initiative, one of the first orders of business is to establish who is responsible for privacy compliance. The specific title of the executive assigned to the role frequently differs depending on the culture and size of the company and the type of IoT product being designed, such as whether it is a connected car, a wearable or an app. If they are not directly responsible, risk managers should ensure that someone is charged with IoT compliance and that this person is reporting to the highest-level risk manager.
2. Map the collection, storage and use of consumer data.
Disciplines across business lines (IT, marketing, legal, compliance, third-party developers) must collaborate to create a cohesive picture of how consumer data flows through the various channels and who has permission to access, store and push data. How is the data being collected? How is it stored? Who has access to it and why? What are they doing with it and why? This process must be meticulous and take into account the various technologies involved to foresee potential vulnerabilities. Companies are under tremendous pressure to introduce new products at breakneck speed, but cutting corners here can lead to significant setbacks down the road that will erode any time-saving gains during the process.
3. Institute privacy by design as part of the process.
“Privacy by design” is a phrase bandied about a lot lately, but it simply means including privacy and security considerations at the onset and throughout the product development process. Companies should ensure the data mapped in step two is aligned with promises the company has made to customers regarding the management of their data, and should consider whether the data being collected is necessary, how it will be used and shared, what disclosures will be made to consumers, and what choices they will have. It is almost always easier and less expensive, not to mention more effective, to address compliance during development rather than in connection with launch. Get involved early. Make material disclosures to consumers clear and easy to understand. Give consumers choices.
4. Create policies, action plans and contracts that anticipate the impact of IoT.
Risk management professionals should work closely with legal and IT departments to formalize specific policies regarding consumer data, to foresee any risks that might arise surrounding their data, and examine how the company will respond in various scenarios. Imagine the worst-case scenarios—the likelihood of security breaches and the vulnerability of consumer data, for example—and take steps to avoid those risks, draft clear policies to address those concerns, and be prepared. Employees should understand what the company has promised customers and be empowered to uphold those promises. Third parties with access to data are a key component of risk—understand who touches the data and why, and make sure there are strong contracts that address data collected and how it is used.
5. Train employees on the importance of compliance.
Even the strongest privacy policy is only as good as those who enforce it. Train employees on the requirements of any IoT policy and build privacy and security compliance into the company culture. Training employees is a relatively minor investment with a major return.
Companies have advanced their IoT initiatives beyond the experimentation phase, and they are poised to innovate with serious IoT rollouts. The challenge companies face is balancing the speed of deployments with the time needed to ensure IoT privacy compliance. It is tempting to sacrifice compliance in a rush to take a product to market, but companies should resist the urge to cut corners. Remember, consumers, regulators and plaintiff’s firms are watching.