The Internet of (Legal) Things

The future is here and that future is populated with billions of devices sensing and communicating everything from weather conditions and your vital signs to how many eggs are in your refrigerator. Technology research firms such as Gartner predict that, in five to 10 years, the number of smart devices will balloon to more than 26 billion. Welcome to the “Internet of Things” (IoT) — the web of embedded computing devices that interact with our everyday lives. Like any technology revolution, those devices have no interest in waiting for the legal world to catch up, including that smart fruit bowl monitoring the ripeness of your bananas. As a result, if a General Counsel’s wearable device measuring nighttime biorhythms does not keep her awake at night, the prospect of billions of devices sensing everything about her customers and employees during an era of cyber insecurity probably will.

CHALLENGES

Privacy
The Internet of Things presents numerous challenges for inside counsel. As the litany of recent data breaches has made clear, organizations are already struggling to protect personal data against relentless hacker attacks. The IoT will exponentially increase the amount of data that enterprises will need to secure. Further, these IoT devices, more often than not, are “in the wild.” This means that, although these devices are collecting data outside the confines of an organization’s secure environment, they nonetheless communicate information back to the organization. Further, because a particular employee or customer may interact with hundreds of devices every day, many devices outside the control of the organization may leak pertinent information about that person.

Liability
Privacy concerns are not the only worries that inside counsel will need to be concerned with. The Internet of Things may introduce entirely new and complex areas of potential liability. For example, as IoT devices become more autonomous, who is liable when things go wrong? While the failure of a smart fruit bowl is likely of little consequence, failures of self-driving cars and medical devices may be catastrophic, for obvious reasons. Significant gaps in laws and judicial guidance will ultimately create uncertainty within the offices of inside counsel for the foreseeable future.

The FTC
Finally, counsel may lose sleep over the fact that the Federal Trade Commission (FTC) has thrown itself into the fray. Specifically, the FTC has recently asserted broad authority to protect consumers from businesses’ collection of data. The centerpiece of this assertion of authority is the Federal Trade Commission Act (FTC Act) that prohibits “unfair or deceptive acts or practices in or affecting commerce,” and empowers the FTC to enforce the FTC Act. 15 U.S.C. § 45(a). The FTC Act defines “unfair acts or practices” as acts or practices that cause or are likely to cause “substantial injury to consumers which [are] not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.” 15 U.S.C. § 45(n). The FTC is empowered to enforce this prohibition using administrative remedies (in a trial-type proceeding before an administrative law judge) and/or judicial remedies (in a federal court by seeking civil penalties and/or injunctive relief). 15 U.S.C. §§ 45(b) and 53(b).

In the context of the Internet of Things, the FTC has begun to make the regulation of IoT an administrative priority. That scrutiny manifested itself in a recent enforcement action (and settlement) involving TRENDNet: a manufacturer of routers, Internet cameras, and other networking devices. The FTC took issue with TRENDNet’s failure to adequately secure its Internet camera devices, potentially exposing users’ live video streams to the public. The FTC action against TRENDNet not only produced significant bad press for the company, it also resulted in restrictions to TRENDNet’s marketing, mandatory customer support obligations, retooling of its security policies, and mandatory third-party reviews of its security operations for the next 20 years.

It goes without saying that once the FTC has a company in its crosshairs, that company may be forced to expend significant resources in the form of compliance costs and legal fees. For example, the company may be asked to overhaul its data security policies and practices, notify affected customers, hire third-party auditors, and/or subject itself to continual FTC oversight for many years. Although the FTC’s asserted broad authority has been challenged in a pending interlocutory appeal to the Third Circuit (FTC v. Wyndham Worldwide Corp.), organizations should assume that the FTC will continue to assert its authority at least in the near-term.

WHAT TO DO

How should organizations react to such risks? First, launch an internal education campaign for your engineering staff to communicate the importance of designing secure technologies. Often, engineering teams are more focused on staying ahead of the technology curve and do not adequately appreciate the potential legal risks of launching insecure products — especially in a legal environment with increased scrutiny on cybersecurity and privacy issues. Such efforts can place the organization in a good position to balance speed-to-market with minimizing legal exposure for the organization.

Second, even though many IoT devices use cutting-edge technology, your organization should strive for commonly-used and readily available data security measures. Part of this effort should involve reviewing the organizations’ existing security policies to ensure they adequately address the unique characteristics of IoT. Should litigation ensue, this effort will help the organization establish that it deployed a reasonable level of care in collecting and protecting data. This becomes especially important when an organization operates in heavily regulated industries such as health care, education, and finance where expectations of privacy protections are heightened.

Third, develop a privacy policy and stick to it. As straightforward as this may sound, it cannot be overemphasized. Indeed, the primary vehicle the FTC leverages to initiate complaints is an organization’s failure to adopt a privacy policy or, more importantly, the organization’s failure to follow its own public privacy policies. The FTC views the latter as an unfair and deceptive act justifying it initiating an action.

Finally, scrutinize data management practices by your organization. As storage becomes less expensive and the promises of “big data” analytics grow, your organization may be tempted to keep everything collected by IoT devices. This can significantly increase organizational risk — more data is susceptible to breach and e-discovery costs can skyrocket if litigation occurs. Inside counsel should sit down with the rest of the organization and determine what data collection is necessary for the organization’s business. If the organization must keep certain data, consider disassociating that data from specific users. This will help alleviate the potential liability should the data be leaked in a cyber-attack. Once the organization decides what data should be saved, counsel can work with the rest of the organization to develop clear and consistent data retention policies to manage that data.

CONCLUSION

The Internet of Things offers an exciting opportunity as industries develop innovative ways to collect and analyze environmental data. However, fast-moving technological developments often present new and substantial legal and organizational risk. IoT will likely be no different. Proactively addressing these issues will help inside counsel effectively conduct its own collection and analysis of at-risk data and quickly respond when problems arise.

Reprinted with permission from the December 2014 issue of The Corporate Counselor. Copyright 2014 ALM Media Properties LLC. Further duplication without permission is prohibited. All rights reserved.