On Tuesday, January 27, the FTC issued a 71-page Staff Report on the privacy and security issues with the Internet of Things. As we’ve noted in our previous blog posts, the Internet of Things (“IoT”) refers to the growing ability of everyday devices to monitor and communicate information through the Internet. This FTC Staff Report follows up on the FTC’s public workshop over concerns with the IoT, as well as the FTC’s first enforcement action brought in September 2013.
In the Staff Report, the FTC referenced the various potential security risks that IoT products present. Such connected devices could, if exploited, lead to consumer harm by enabling the unauthorized access and misuse of personal information; facilitating attacks on other systems; and creating risks to personal safety. In addition, potential privacy risks could flow from the collection of personal information, habits, locations, and physical conditions over time. To address these risks, the FTC recommended that companies developing IoT products take the following concrete measures in the areas of security, data minimization, and notice and choice:
- Security. The FTC recommended that companies: (1) build security in their IoT devices at the outset; (2) train all employees about good security; (3) retain service providers that are capable of maintaining reasonable security and provide reasonable oversight for these providers; (4) implement a “defense-in-depth approach” by considering security measures at several levels; (5) implement reasonable access control measures to limit the ability of an unauthorized person to access a consumer’s device, data, or network; and (6) monitor products throughout the life cycle and, if feasible, patch known vulnerabilities.
- Data Minimization. The Staff Report also encouraged companies to examine their business needs and develop policies and practices that impose reasonable limits on the collection and retention of consumer data. The FTC noted, though, that this recommendation is flexible and intended to give companies options. Per the FTC, companies can decide not to collect data at all; collect only the fields of data necessary to the product or service; collect data that is less sensitive; or de-identify the data collected. If none of these options is consistent with the companies’ business needs, they can seek consumer consent for collecting additional, unexpected categories of data.
- Notice and Choice. The FTC incorporated certain elements from a use-based approach. In other words, if a use of the data by the company is consistent with the context of the interaction with the consumer (i.e., an expected use), then a choice need not be offered to the consumer. For uses that would be inconsistent with the context of the interaction (i.e., unexpected), the FTC recommended that companies offer clear and conspicuous choices. In addition, if consumer data collected is immediately and effectively de-identified, then the FTC stated that a choice need not be offered to the consumer. The FTC encouraged legislators and multistakeholder frameworks to help guide companies on what types of users of certain consumer data are permissible or impermissible, and address other concerns.
Finally, the FTC acknowledged that IoT-specific legislation at this stage would be premature. However, it did reiterate previous recommendations for Congress to enact broader, general data security legislation. Commissioner Joshua Wright dissented, citing the lack of empirical evidence and questioning whether the recommendations in the Staff Report would even improve consumer welfare. Said Commissioner Wright, the FTC should “at a minimum, undertake the necessary work not only to identify the potential costs and benefits of implementing such best practices and recommendations, but also to perform analysis sufficient to establish with reasonable confidence that such benefits are not outweighed by their costs at the margin of policy intervention.”
IoT has been a hot topic lately, garnering a lot of attention from the FTC. With the Staff Report finally released, companies now have a loose playbook on how to develop such products while keeping privacy and security in mind. With the FTC promising more enforcement in this area, we will be watching closely to see how the FTC translates its Staff Report into practice.