In-brief: An article in a publication for corporate legal counsel puts companies on notice about the risks of Internet of Things technologies, citing recent guidance from the FTC.
The security risks attendant with adoption of Internet of Things technologies have so far been a matter of conjecture, more than anything else. But a recent article in a publication for corporate legal counsel suggests that IoT insecurity is getting board-room visibility.
The article, in the July issue of Today’s General Counsel, puts corporate legal counsel on notice about the risks of Internet of Things technologies, citing recent guidance from the FTC and urging companies to develop processes and methods for insuring the security of connected product.
Authors Douglas Fleming and James Wendell advise corporate counsel at firms developing connected technologies to take careful note of the FTC’s January report, The Internet of Things: Privacy and Security in a Connected World. Specifically, the authors advocating for the adoption of secure design methodologies and robust security testing.
“Because the FTC has taken an active role in policing privacy and data security issues, the staff report serves as an important starting pont for IoT developers looking to implement privacy and security best practices,” they write.
Chief among the “to-dos” identified in the FTC report is to put security and privacy concerns front and center in any IoT project, the authors say. Small companies may be able to do that with just a single person tasked with privacy and security issues. Larger development shops may need an entire group responsible for overseeing security and privacy related to a project. The goal is to foster dialog and cooperation between developers and security and privacy experts.
“Building security into an organizational structure not only creates accountability, it will help foster the type of deliberate thought the FTC wants IoT developers to devote to privacy and security issues,” the two say.
The two also suggest that legal counsel be involved early on in the product development cycle to “head off” problems that may occur, especially in areas of privacy protection and security risk assessment.
IoT makers should consider the risks of copious data collection and retention and look for ways to minimize those practices – and hence the longterm risks posed by the IoT technology.
On the issue of security assessments and testing, Fleming and Wendell note that the FTC report suggests the Commission is unlikely to go easy on companies that fail to take adequate measures to test product security prior to release.
Companies need carefully structured security testing of their IoT technology prior to release. Beyond that, companies need to “consider the extent to which they will continue to monitor a product’s security after launch.” The FTC report makes clear that the Commission expects companies to “continuously monitor their products and to patch known vulnerabilities.” Companies developing IoT technology should “consider these issues early in the product development cycle to determine whether elements of the product’s design will make implementation of this best practice feasible or affordable,” the authors note.
The article echoes recommendations put forth in guidelines by The Online Trust Association, which called on IoT manufacturers to enshrine privacy protections and security features in their products, and to think about “sustainability” – or long-term management of IoT technologies.
In July, legislation was also put forward in Washington D.C. by Senators Ed Markey (D-MA) and Richard Blumenthal (D-Conn) that would direct the National Highway Traffic Safety Administration (NHTSA) and the Federal Trade Commission (FTC) to establish federal standards to secure our cars and protect drivers’ privacy. The Security and Privacy in Your Car (SPY Car) Act would also establish a rating system to inform consumers about how well the vehicle protects drivers’ security and privacy beyond those minimum standards.