What We Know

FTC Issues Report on the Internet of Things

February 6, 2015 | by Caren D. Enloe

The Federal Trade Commission (FTC) has issued a staff report on the “Internet of Things,” recommending businesses take concrete steps to enhance and protect the privacy and security of consumers. The report titled Internet of Things: Privacy & Security in a Connected World (http://www.ftc.gov/reports/federal-trade-commission-staff-report-november-2013-workshop-entitled-internet-things) provides a look at the FTC’s expectations for consumer data privacy and security for internet connected products. While the report does not have the force of law, it does provide insight as to the FTC’s minimum expectations should a data breach or other FTC Act violation occur.

In the report, the FTC defined the Internet of Things as being devices (other than computers, smart phones or tablets) that connect or transmit information with or with each other by way of the Internet. These devices can include embedded intelligence like smart appliances and medical devices. The report expressly excludes business to business products.

FTC REPORT RECOMMENDATIONS:

Companies developing Internet of Things (“IoT”) products should implement reasonable security. As noted by the FTC Staff, reasonable security is not a one size fits all proposition. It should take into account a number of factors, including the amount and sensitivity of the data collected, the sensitivity of the device’s functionality, and the costs of remedying the security vulnerabilities. At a minimum, however:

  • Companies should build security into their devices at the outset and not as an afterthought;
  • Companies should perform privacy or security risk assessments;
  • Companies should consider how to minimize the amount of data they collect and retain, with a goal of only collecting and retaining the minimum necessary;
  • Companies should ensure their service providers are capable of maintaining reasonable security;
  • For systems with a significant risk, companies should implement a defense-in-depth approach with security measures at several levels; and
  • Companies should continue to monitor products through their life cycle, patch known vulnerabilities, and clearly represent the extent to which they will provide ongoing security updates and software patches.

Companies should examine their data practices and business needs, and engage in data minimization.  The FTC noted that data minimization helps safeguard against the potential harms of a data breach because the lack of valuable data is obviously less attractive to cyber thieves.  At a minimum:

  • Companies should develop policies and practices that impose reasonable limit on the collection and retention of consumer data;
  • Companies should establish reasonable retention limits for the data collected; and
  • Companies should also consider whether they can collect and maintain data in a de-identified form, keep up to date with technological developments to ensure the data is not re-identified, and require the same of their third party vendors.

The FTC continued to emphasize that companies should provide consumers with notice and choice as to what data will be collected, particularly if data would be used in a way the consumer would not expect. While the FTC staff recognized the practical difficulties of providing choice where there is no consumer interface (for instance, smart appliances), the report does include several examples of how notices can be provided to consumers, through the use of icons, set up menus, and affixed barcodes linked to website interfaces.

LEGISLATION RECOMMENDATIONS:

Recognizing that this industry is in the early stages, the FTC did not advocate specific IoT legislation at this time; however, the report did recognize a need for general data security legislation. The report reiterated the Commission’s previous recommendation that Congress enact “strong, flexible, and technology-neutral legislation to strengthen the Commission’s existing data security enforcement tools and require companies to notify consumers when there is a security breach.”

 

If you have questions or would like more information on this topic, please contact attorney Caren D. Enloe at 919.250.2125 or by email at cenloe@smithdebnamlaw.com

 

 

Caren Enloe leads Smith Debnam’ s consumer financial services litigation and compliance group. In her practice, she defends consumer financial service providers and members of the collection industry in state and federal court, as well as in regulatory matters involving a variety of consumer protection laws.  Caren also advises fintech companies, law firms, and collection agencies regarding an array of consumer finance issues. An active writer and speaker, Caren currently serves as chair of the Debt Collection Practices and Bankruptcy subcommittee for the American Bar Association’s Consumer Financial Services Committee. She is also a member of the Defense Bar for the National Creditors Bar Association, the North Carolina State Chair for ACA International’s Member Attorney Program and a member of the Bank Counsel Committee of the North Carolina Bankers Association. Most recently, she was elected to the Governing Committee for the Conference on Consumer Finance Law. In 2018, Caren was named one of the “20 Most Powerful Women in Collections” by Collection Advisor, a national trade publication. Caren oversees a blog titled: Consumer Financial Services Litigation and Compliance dedicated to consumer financial services and has been published in a number of publications including the Journal of Taxation and Regulation of Financial Institutions, California State Bar Business Law News, Banking and Financial Services Policy Report and Carolina Banker.  ...LEARN MORE

Shape919.250.2000 Shapemail@smithdebnamlaw.com noun_20940@smithdebnamlaw