Frankfurt Kurnit Klein & Selz

February 18th, 2015

The Internet of Things: Best Practices for Developers

What is the Internet of Things (the "IoT")?  It's the ability of everyday objects to connect to the internet and collect and transmit data. Examples include the thermostat in your home that you control from your computer 200 miles away; the wristband that monitors your heartbeat and transmits information to a fitness app on your iPhone; and the E-ZPass you use to drive through tolls without stopping. While IoT still feels new, the FTC estimates that there are already 25 billion things connected to the internet today, and that number is projected to double, to 50 billion, by 2020 (to put those numbers in perspective, there are roughly 6.9 billion people on the earth).

The FTC recently released a Staff Report discussing its November 2013 workshop on the IoT, titled Internet of Things: Privacy & Security in a Connected World. The report focuses on the implications of the rapidly expanding IoT on consumer privacy and data security. The report comprises public comments as well as input from attendees of the workshop in DC, which included leading technologists and academics, industry representatives, and consumer advocates.

The report endorses baseline privacy legislation and industry-wide best practices to help ensure that privacy and security concerns do not undermine consumer confidence. Although FTC staff specifically note that IoT-specific legislation would be premature, given the quickly changing nature of the technology, the report highlights the Commission's bipartisan recommendation for federal data security and broad-based privacy legislation, including data breach notification legislation that would strengthen Congress's existing data security enforcement tools. The report lays out best practices for companies developing devices for the IoT and discusses four ongoing initiatives.

The report includes the following recommendations for companies developing IoT devices:

• Educate consumers. Recognizing that many IOT products do not provide screens or other traditional interfaces, the report encourages developers to find new ways to educate consumers about privacy and data security.
• Provide notice and choice. The report urges developers to give consumers notice and choice about how their information will be used, especially when the data collection is beyond consumers' reasonable expectations.
• Build in security. The report encourages companies to build security into devices at the outset of design and development,rather than as an afterthought or in response to a breach.
• Train employees about the importance of security. The report asks companies to train their employees on data security issues, and ensure that security is managed at an appropriate level in the organization.
• Hold third parties accountable. The report urges developers to review the work of outside service providers and ensure they are able to maintain reasonable security.
• Set up multiple layers of defense. The report counsels IoT product developers to consider a "defense-in-depth" strategy for when a security risk is identified, whereby multiple layers of security may be used to defend against a particular risk. The report also urges consideration of measures to prevent unauthorized access to a consumer's device, data or personal information stored on your network.
• Think long term. The report asks developers to monitor connected devices throughout their expected life cycle, and where feasible, provide security patches to cover known risks.
• Don't collect more data than you need. The report asks developers to consider "data minimization," which means limiting the collection and retention of consumer data.

​The report also describes four ongoing initiatives:

• Law enforcement. The FTC enforces - among other statutes - the FTC Act, the Fair Credit Reporting Act, COPPA, and the health breach notification provisions of the HI-TECH Act.
• Consumer and business education. The FTC is continuing its effort to provide advice for businesses with the publication of Careful Connections: Building Security in the Internet of Things, which is likely the first of many FTC publications addressing the IoT.
• Participation in multi-stakeholder groups. The FTC is already working with groups considering guidelines and best practices - and those efforts will continue.
• Advocacy. The FTC plans to look for opportunities to work with other government agencies, state legislatures, and courts to promote security and privacy protections for the IoT.

​Companies should understand that this FTC Report represents a very early step in the regulatory process, and we expect more legislation and other guidance for IoT developers to follow soon. Companies in the IoT space should consider involving Privacy counsel in all phases of development, including the initial product design and marketing phases. Privacy counsel can help ensure regulatory compliance and consumer-related privacy concerns are built into the foundation of the product and messaging, and are not an obstacle to future development.

For more information about the FTC's Staff Report on the IoT, or about any other Privacy or Data Security law issues, please contact Greg Boyd at (212) 826-5581 or gboyd@fkks.com, Jeremy Goldman at (212) 705-4843 or jgoldman@fkks.com, or any other member of the Frankfurt Kurnit Advertising or Technology, Digital Media & Privacy Groups.