- Published Articles
- In the Press
- Press Releases
Sign Up for Alerts
Sign up to receive receive industry-specific emails from our legal team.
Sign Up for Alerts
We provide tailored, industry-specific legal updates to our clients and other friends of the firm.
Areas of Interest
February 18th, 2015
The Internet of Things: Best Practices for Developers
What is the Internet of Things (the "IoT")? It's the ability of everyday objects to connect to the internet and collect and transmit data. Examples include the thermostat in your home that you control from your computer 200 miles away; the wristband that monitors your heartbeat and transmits information to a fitness app on your iPhone; and the E-ZPass you use to drive through tolls without stopping. While IoT still feels new, the FTC estimates that there are already 25 billion things connected to the internet today, and that number is projected to double, to 50 billion, by 2020 (to put those numbers in perspective, there are roughly 6.9 billion people on the earth).
The FTC recently released a Staff Report discussing its November 2013 workshop on the IoT, titled Internet of Things: Privacy & Security in a Connected World. The report focuses on the implications of the rapidly expanding IoT on consumer privacy and data security. The report comprises public comments as well as input from attendees of the workshop in DC, which included leading technologists and academics, industry representatives, and consumer advocates.
The report endorses baseline privacy legislation and industry-wide best practices to help ensure that privacy and security concerns do not undermine consumer confidence. Although FTC staff specifically note that IoT-specific legislation would be premature, given the quickly changing nature of the technology, the report highlights the Commission's bipartisan recommendation for federal data security and broad-based privacy legislation, including data breach notification legislation that would strengthen Congress's existing data security enforcement tools. The report lays out best practices for companies developing devices for the IoT and discusses four ongoing initiatives.
The report includes the following recommendations for companies developing IoT devices:
- Educate consumers. Recognizing that many IOT products do not provide screens or other traditional interfaces, the report encourages developers to find new ways to educate consumers about privacy and data security.
- Provide notice and choice. The report urges developers to give consumers notice and choice about how their information will be used, especially when the data collection is beyond consumers' reasonable expectations.
- Build in security. The report encourages companies to build security into devices at the outset of design and development,rather than as an afterthought or in response to a breach.
- Train employees about the importance of security. The report asks companies to train their employees on data security issues, and ensure that security is managed at an appropriate level in the organization.
- Hold third parties accountable. The report urges developers to review the work of outside service providers and ensure they are able to maintain reasonable security.
- Set up multiple layers of defense. The report counsels IoT product developers to consider a "defense-in-depth" strategy for when a security risk is identified, whereby multiple layers of security may be used to defend against a particular risk. The report also urges consideration of measures to prevent unauthorized access to a consumer's device, data or personal information stored on your network.
- Think long term. The report asks developers to monitor connected devices throughout their expected life cycle, and where feasible, provide security patches to cover known risks.
- Don't collect more data than you need. The report asks developers to consider "data minimization," which means limiting the collection and retention of consumer data.
The report also describes four ongoing initiatives:
- Law enforcement. The FTC enforces - among other statutes - the FTC Act, the Fair Credit Reporting Act, COPPA, and the health breach notification provisions of the HI-TECH Act.
- Consumer and business education. The FTC is continuing its effort to provide advice for businesses with the publication of Careful Connections: Building Security in the Internet of Things, which is likely the first of many FTC publications addressing the IoT.
- Participation in multi-stakeholder groups. The FTC is already working with groups considering guidelines and best practices - and those efforts will continue.
- Advocacy. The FTC plans to look for opportunities to work with other government agencies, state legislatures, and courts to promote security and privacy protections for the IoT.
Companies should understand that this FTC Report represents a very early step in the regulatory process, and we expect more legislation and other guidance for IoT developers to follow soon. Companies in the IoT space should consider involving Privacy counsel in all phases of development, including the initial product design and marketing phases. Privacy counsel can help ensure regulatory compliance and consumer-related privacy concerns are built into the foundation of the product and messaging, and are not an obstacle to future development.
For more information about the FTC's Staff Report on the IoT, or about any other Privacy or Data Security law issues, please contact Greg Boyd at (212) 826-5581 or firstname.lastname@example.org, Jeremy Goldman at (212) 705-4843 or email@example.com, or Jess Smith at (212) 705-4876 or firstname.lastname@example.org,or any other member of the Frankfurt Kurnit Advertising or Technology, Digital Media & Privacy Groups.
Other Technology Law Alerts
FTC Settles First-Ever Action Against Individual “Influencers”
September 18 2017
No Harm, No Foul: Court Dismisses Biometric Data Privacy Class Action Against NBA 2K Games
Biometric data — from, e.g., retina, face and fingerprint scans — plays a big role in the current wave of new technology services. For example, biometrics provide security features for financial and healthcare products. But companies using or thinking of using biometric data have to comply with myriad privacy and data security laws and regulations, or face potential enforcement action and litigation.
February 16 2017
ZeniMax v. Oculus: Lessons from a $500 Million VR Case Verdict
The Oculus Rift has been one of the most anticipated technology developments in modern video game history. Now — as a result of avoidable mistakes — it is also a teaching case for lawyers advising clients in the interactive entertainment space. Here's a rundown of the case and the traps the developers fell into.
February 9 2017