It’s Data Privacy Day 2015
Today is Data Privacy Day, and as you might expect, we have a few bits and bytes for you.
Use the Opportunity
Data Privacy Day is another opportunity to push out a note to employees regarding their own privacy and security — and how that can help the company.
The Federal Trade Commission Issues IoT (Internet of Things) Report
Following up on its November 2013 workshop on the Internet of Things, the Federal Trade Commission (“FTC”) has released a staff report on privacy and security in the context of the Internet of Things (“IoT”), “Internet of Things: Privacy & Security in a Connected World” along with a document that summarizes the best practices for businesses contained in the Report. The primary focus of the Report is the application of four of the Fair Information Practice Principles (“FIPPs”) to the IoT – data security, data minimization, notice, and choice.
The report begins by defining IoT for the FTC’s purposes as “‘things’ such as devices or sensors – other than computers, smartphones, or tablets – that connect, communicate or transmit information with or between each other through the Internet,” but limits this to devices that are sold to or used by consumers, rather than businesses, in line with the FTC’s consumer protection mandate. Before discussing the best practices, the FTC goes on to delineate several benefits and risks of the IoT. Among the benefits are (1) improvements to health care, such as insulin pumps and blood-pressure cuffs that allow people avoid trips to the doctor the tools to monitor their own vital signs from home; (2) more efficient energy use at home, through smart meters and home automation systems; and (3) safer roadways as connected cars can notify drivers of dangerous road conditions and offer real-time diagnostics of a vehicle.
The risks highlighted by the Report include, among others, (1) unauthorized access and misuse of personal information; (2) unexpected uses of personal information; (3) collection of unexpected types of information; (4) security vulnerabilities in IoT devices that could facilitate attacks on other systems; and (5) risks to physical safety, such as may arise from hacking an insulin pump.
In light of these risks, the FTC staff suggests a number of best practices based on four FIPPs. At the workshop from which this report was generated, all participants agreed on the importance of applying the data security principle. However, participants disagreed concerning the suitability of applying the data minimization, notice, and choice principles to the IoT, arguing that minimization might limit potential opportunities for IoT devices, and notice and choice might not be practical depending on the device’s interface – for example, some do not have screens. The FTC recognized these concerns but still proposed best practices based on these principles.
Data Security Best Practices:
Security by design. This includes building in security from the outset and constantly reconsidering security at every stage of development. It also includes testing products thoroughly and conducting risk assessments throughout a product’s development
Personnel practices. Responsibility for product security should rests at an appropriate level within the organization. This could be a Chief Privacy Officer, but the higher-up the responsible part, the better off a product and company will be.
Oversee third party providers. Companies should provide sufficient oversight of their service providers and require reasonable security by contract.
Defense-in-depth. Security measures should be considered at each level at which data is collected stored, and transmitted, including a customer’s home Wi-Fi network over which the data collected will travel. Sensitive data should be encrypted.
Reasonable access control. Strong authentication and identity validation techniques will help to protect against unauthorized access to devices and customer data.
Data Minimization Best Practices:
Carefully consider data collected. Companies should be fully cognizant of why some category of data is collected and how long that data should be stored.
Only collect necessary data. Avoid collecting data that is not needed to serve the purpose for which a customer purchases the device. Establish a reasonable retention limit on data the device does collect.
Deidentify data where possible. If deidentified data would be sufficient companies should only maintain such data in a deidentified form and work to prevent reidentification.
Notice and Choice Best Practices: The FTC initially notes that the context in which data is collected may mean that notice and choice is not necessary. For example, when information is collected to support the specific purpose for which the device was purchased.
When notice or choice are necessary, the FTC offers several suggestions for how a company might give or obtain that, including (1) offer choice at point of sale; (2) direct customers to online tutorials; (3) print QR codes on the device that take customers to a website for notice and choice; provide choices during initial set-up; (4) provide icons to convey important privacy-relevant information, such a flashing light that appears when a device connects to the Internet; (5) provide notice through emails or texts when requested by consumers; and (6) make use of a user experience approach, such personalizing privacy preferences based on the choices a customer already made on another device.
Legislation. The FTC staff recommends against IoT-specific legislation in the Report, citing the infancy of the industry and the potential for federal legislation to stifle innovation. Instead, the FTC recommends technology-neutral privacy and data security legislation. Without saying it explicitly, this appears to be a recommendation for something akin to the Consumer Privacy Bill of Rights recently proposed by the President, along with giving the FTC authority to enforce certain privacy protections, including notice and choice, even in the absence of a showing of deceptive or unfair acts or practices.
In the meantime, the FTC notes that it will continue to provide privacy and data security oversight of IoT as it has in other areas of privacy. Specifically, the FTC would continue to enforce the FTC Act, the Children’s Online Privacy Protection Act, and other relevant statutes. Other initiatives would include developing education materials, advocating on behalf of consumer privacy, and participating in multi-stakeholder groups to develop IoT guidelines for industry.