Two months ago, citizens and lawmakers got a slight taste of the potential mayhem in store once the universe of Internet of Things devices expands to a projected 50 billion to 70 billion by 2020. On October 21, Dyn, a company that runs the Internet’s domain name infrastructure, experienced a series of coordinated botnet attacks spurring distributed denial of service outages on both sides of the Atlantic. The attacks took down popular entertainment and media websites such as Twitter, Netflix, and Spotify, and news sites such as New York Times, CNN, and The Guardian. The attackers were able to exploit security vulnerabilities in hundreds of thousands of Internet of Things devices, including home computer routers, baby monitors, and webcams.
A contributing factor to the Dyn attacks was the fact that manufacturers allowed baby monitors, webcams, and other equipment to be sold without resolving security deficiencies that enabled attackers to compromise those devices and use them for attack purposes.
Manufacturers of Internet of Things (IoT) products and services, which allow devices to communicate with each other via embedded sensors that collect, analyze, and distribute user data, need to have processes by which they bring together an interdisciplinary team of people to plan a product’s features; examine and test a product’s security; and think about the risks associated with it, says Stephen Wu, an attorney with Silicon Valley Law Network, which advises companies about security and privacy issues. “The concern we see is that companies are putting together a product very quickly. They don’t do the security testing. They just want to get it out there on the street. They want to make a quick buck, and they end up causing problems,” Wu says.
In a January 2015 report, the Federal Trade Commission recommended that companies build a reasonable level of security into their devices at the outset rather than as an afterthought. Companies’ increased reliance on Internet connections either in their manufacturing processes or in the products and services they sell argues the need for such issues to be included in their compliance risk assessment. That, along with the ethics of lawyers’ and compliance officers’ obligation to understand technology, will be addressed by the Practising Law Institute (PLI) for the first time in a session next May at its Compliance and Ethics Institute.
“What we’ll be doing at the PLI program is trying to go through every type of technology and say, ‘here are the compliance implications of that technology,’ ” says Theodore Banks, a partner at Scharf, Banks, Marmor, who is helping to organize that conference session. “If you’re using some sort of app that relies on what we lump together as Big Data, have you considered all the implications and what might those be as far as compliance risks [are concerned]?” Each time a company empowers one of its devices with some sort of Internet connection, it becomes a compliance issue, he adds.
The compliance staff needs to think about every business function that relies on an Internet connection to fulfill its purpose, from internal accounting programs to the interface with customers or suppliers, Banks says. When including these considerations in its enterprise risk assessment, however, it’s not enough for a company to examine only the possibility of business disruptions that Internet connections might cause but also the legal implications of such connections.
“The concern we see is that companies are putting together a product very quickly. They don’t do the security testing. They just want to get it out there on the street. They want to make a quick buck, and they end up causing problems.”
Stephen Wu, Attorney, Silicon Valley Law Network
For example, if a product stops working because of an Internet problem, it could constitute a breach of contract, which could prompt a lawsuit asking for damages or even specific performance. That’s a greater risk “if it’s a B2B type of product where someone else’s business is reliant on that,” Banks explains. “So part of the risk assessment by management [should be examining] what’s in the contract. Are you protecting yourself from the legal implications of a failure like this,” including lost-profit damage claims?
Another issue to consider is the possibility of harm done to consumers if an Internet-managed appliance such as a refrigerator or freezer fails and then starts working again without the consumer being aware that the downtime may have caused foods to spoil. A third scenario is what happens when someone remotely seizes control of Internet-enabled devices to use for malicious purposes such as a distributed denial of service attack, as in the Dyn case. Compliance professionals need to think about whether there is adequate security built into their company’s system to prevent unauthorized people from getting control of it.
Not only senior legal and compliance officers but the entire organization needs to be educated about information security risks, says Jill Rhodes, chief information security officer at Option Care, a home infusion therapy services provider. “Yes, it has to hit the chief compliance officer and the general counsel, but until you can build that corporate culture that understands the importance of information security, just educating your chief compliance officer is not going to help.”
Employees throughout the company need to be attuned to the fact that certain kinds of data, such as personally identifiable information or clients’ sensitive health information, demands more careful treatment than less sensitive data, she says. They also need to recognize that if the technology they use enables a connection with the Internet it has to be protected differently and they need to think differently about how they use it. “All the action in most businesses doesn’t happen in this headquarters. It happens out in the field. So in order to push down what folks in headquarters would like to see happen in the field, we have to educate those in the field,” she says.
INTERNET OF THINGS
Below is an excerpt from the Federal Trade Commission’s Staff Report on Internet of Things:
Staff has concerns, however, about adopting solely a use-based model for the Internet of Things. First, because use-based limitations have not been fully articulated in legislation or other widely-accepted multi-stakeholder codes of conduct, it is unclear who would decide which additional uses are beneficial or harmful.174 If a company decides that a particular data use is beneficial and consumers disagree with that decision, this may erode consumer trust. For example, there was considerable consumer outcry over Facebook’s launch of the Beacon service, as well as Google’s launch of the Buzz social network, which ultimately led to an FTC enforcement action.175
Second, use limitations alone do not address the privacy and security risks created by expansive data collection and retention. As explained above, keeping vast amounts of data can increase a company’s attractiveness as a data breach target, as well as the risk of harm associated with any such data breach. For this reason, staff believes that companies should seek to reasonably limit the data they collect and dispose of it when it is no longer needed.
Finally, a use-based model would not take into account concerns about the practice of collecting sensitive information.176 Consumers would likely want to know, for example, if a company is collecting health information or making inferences about their health conditions, even if the company ultimately does not use the information.177
Source: Federal Trade Commission
Option Care has created an ambassadors program that enlists employees throughout the organization on a volunteer basis to receive additional education and training about information security and who are encouraged to share it with their peers. By participating in monthly webinars, these employees learn about new developments in the company’s information security program and where its strengths and weaknesses lie. “We ask them to talk about it, and then escalate anything that needs to be escalated. That way, we have tentacles – we have eyes and ears all over the place,” says Rhodes.
She stresses the importance of teamwork between the CISO, chief compliance officer, and chief privacy officer, if there is one, who together can provide all sides of the privacy, security, and compliance realm and ensure common messages of education across the board.
Navigating the IoT compliance landscape is more complex than in most other business areas because regulatory authority is divided among numerous federal agencies according to the industry to which an IoT device has been deemed to belong. For example, the Federal Aviation Administration has been tapped by Congress to develop regulations for unmanned aerial vehicles and systems, while the Department of Health and Human Services’ Office for Civil Rights enforces the privacy and security rules of the Health Insurance Portability and Accountability Act (HIPAA) that apply to certain healthcare data and entities.
A key attraction of IoT is its ability to integrate with other technologies across industrial sectors and data categories. That puts it at odds with the U.S regulatory framework, which takes a sectoral approach to regulating privacy and personal information, as reported in the lead article in the spring 2016 edition of SciTech Lawyer, published by the American Bar Association’s Science & Technology Law Section. Citing 11 different federal entities that were identified by Congressional Research Service as having at least partial regulatory jurisdiction over aspects of IoT, the article concluded that “the patchwork regulatory scheme is not ready for the IoT data stream.”
Until comprehensive ISO standards for IoT have been developed and become the reference points for future regulations, most IoT experts expect consumer litigation to be the main driver of compliance best practices that manufacturers and other companies will be pressured to adopt to protect the security of their devices and users’ personal information. Significantly, the first security guidance standards, now being developed by an international standards committee, aren’t expected to be published for another three or four years.
To date, there has been scant litigation in connection with IoT devices, and there isn’t enough judicial opinion to suggest where the law is going, says Steven Teppler, an attorney at Abbott Law Group and co-chair of the American Bar Association’s IoT committee. But he foresees the FTC using its existing legal authority to pursue companies—such as the manufacturers of baby monitors and webcams involved in the Dyn attacks—and forcing them “to undergo security reviews and create a corrective action plan in a consent agreement with the Federal Trade Commission to improve their security postures. “
The need for robust security isn’t limited to the harm that a failed or hacked device can cause to individual users of IoT devices. As the Dyn attack shows, the inherent capabilities of these devices are sufficient, if exploited by bad actors, to overwhelm the network and take down entire websites. That’s why compliance imperatives are expanding to include thinking about the implications of there being millions or billions of these devices, which, if activated, can potentially cause widespread damage.