Over the last week, I participated in three very different events featuring discussion about the growth of the Internet of Things (IOT). The presentations confirmed that the IOT is expanding into all areas of our lives, at a rate faster than most can track. The first two instances were professional conferences about the IOT and legal risk. Not surprisingly, the speakers raised many questions about liability, duty, and risk, but they provided few solutions.
The third presentation was more practical and inspiring. The Marin School of Environmental Leadership’s Business Leader’s Breakfast featured Gordon Feller from Cisco Systems, who explained that connected devices play a crucial role in meeting sustainability goals for his company and its customers. Cisco aims to build environmental sustainability into each business function and process through the use of information and communications technology designed to improve the world’s standard of living, use of resources, and energy efficiency, while delivering new value to customers and society.
It is an ambitious goal, but the Terra Linda High School students participating in the Marin School of Environmental Leadership are receptive to using technology in ways that their parents never imagined. For them, innovation breeds opportunity to change and improve the world. And we all learned that amazing things are happening right here, right now.
A more conservative crowd gathered last week at the Advisen 2015 Cyber Risk Insights Conference in San Francisco, which was focused on the insurance industry. Conference Chair Garrett Koehn observed that the current cyber insurance market is estimated at $2 billion to $3 billion, with targets of $80 billion not far down the road.
Many speakers and attendees spoke about a gold rush mentality surrounding cyber risk and insurance underwriting, including those arising from the rapid growth of things connected to the Internet. A reality check was provided by keynote speaker David Johnson, FBI Special Agent in Charge of the San Francisco Division, who reported that we are going to need a “bigger boat” to protect ourselves against cyber risk, as the FBI estimates that the number of victims exceeds 500 million annually, 30,000 websites are hacked daily, and annual losses are expected in the range of $100 billion to $500 billion. He called upon private sector participants to educate themselves and others to gain a better understanding of cyber risks and threats.
Finally, an American Bar Association webinar entitled “Privacy, Security, And The Internet Of Things: The Looming Crisis” featured Kristen Anderson from the Federal Trade Commission Division of Privacy & Identity Protection. The Commission aims to protect consumers from unfair or deceptive acts or practices, including those arising in a growing world of Internet-connected devices.
Anderson cited the January 2015 release of a detailed report on the Internet of Things, where the staff of the FTC recommends steps that businesses can take to enhance and protect consumers’ privacy and security. She identified common mistakes made by businesses, such as storing information longer than needed or online when not necessary; using default or other easy-to-guess passwords; storing or transmitting confidential information in plain text; failing to take steps to segment or restrict access to data; failing to provide appropriate employee training and oversight; and failing to take reasonable steps to detect or investigate breaches.
Anderson’s presentation also identified common privacy failures, including rolling out a new service or feature that increases sharing without adequate notice and consent, or misrepresentations about tracking, features, or the collection, sharing, and deletion of data. She provided these four key points that guide the FTC’s enforcement actions:
- Information security is an ongoing process;
- A company’s security procedures must be reasonable and appropriate in light of the circumstances;
- A breach does not necessarily show that a company failed to have reasonable security measures – there is no such thing as perfect security; and
- Practices may be unreasonable and subject to FTC enforcement.
Both the IOT report and the ABA presentation emphasize FTC’s position that companies should build privacy and security into products and services at the outset, collect and keep only what is needed, provide clear and truthful notices and representations, and give consumers choices about data uses that are not obvious to them.
The three programs emphasized in different ways that connected devices present new opportunities and risks for businesses that are rushing to innovate. The devices come in all shapes and sizes, with many different uses and endless possibilities. Connectivity is fueling growth.
Indeed, Author Mark Goodman has observed that the Internet is set to grow from the size of a golf ball to the size of the sun. We may not yet be able to tell how long this journey to the sun will take, but the pace will undoubtedly accelerate exponentially over time. As such, care should be taken now, before it is too late, to consider IOT sustainability, risk management, and regulatory compliance. Going forward, these will present red hot issues to litigators and lawyers of all disciplines. Prepare to buckle up for what should be a fast and exciting journey.