The Internet of Things (IoT) is changing the way consumers interact with their products—and vice versa. With smart refrigerators tracking expiration dates and food amounts, or smartphone applications that can remotely regulate the temperature and energy use of a home, consumers are more equipped than ever before to seamlessly manage everyday responsibilities.
But while such integration has its benefits, IoT devices pose a multitude of legal, e-discovery and security issues for counsel at companies that create such devices and companies that use them in their offices. While corporate counsel at IoT manufacturers contend with the complex emergence of IoT regulations, counsel across all companies and industries may have to grapple with how to manage secure IoT devices employed in their office.
Leading the push for IoT standards is the Federal Trade Commission (FTC), who in 2015, released guidance on transparency and reporting best practices for IoT devices. The FTC has been setting standards for IoT devices more effectively, however, in its actions against companies whose IoT devices lack of transparency or reporting amount to deceptive practices.
One of the most far-reaching of these was recent action against IoT television manufacturer and retailer Vizio, which agreed to pay fines of up to $2.2 million for charges of unfair tracking, among others. The FTC’s action against Vizio represented a move broaden the category of sensitive information that if misused, can cause harm to consumers. But Adrienne Ehrhardt, partner at law firm Michael Best, noted such of expansion of regulated IoT data is unlikely to continue given that the recent appointment of FTC Commissioner Maureen Ohlhausen “indicted that perhaps [the Vizio ruling] was a little too broad.”
“Perhaps in the future, the types of data would be much limited in terms of what would trigger that responsibility to provide notice and consent and transparency,” she added.
FTC standards, however, are not the only one to which counsel at IoT manufacturing companies need to pay attention. Due to the globalized market, Ehrhardt stressed how much an impact international IoT regulations can have on multinational organizations selling IoT devices and consumer expectations of IoT standards worldwide.
“I think international laws will affect what we do domestically, because there is going to be a desire to have one approach or at least some kind of uniformity,” she said. “There might be an expectation in general from the consumers’ point of view that that should be the standard.”
In addition to keeping informed of the latest standards, counsel needs to manage the many risks IoT devices present when used in-house.
Ehrhardt noted, “IoT devices are another creation of evidence in a company. And to the extent that you let [IoT] inside your company, your counsel needs to be aware of the data implications, because [such devices] could create all kinds of unintended consequences.”
IoT data, after all, can be used in future litigation against a company and can create significant burdens for an organization’s internal e-discovery operations. Adi Elliott, vice president of market planning at Epiq Systems previously explained to Legaltech News, “As soon as you get into third-party data sources that a corporation has no control over, things get more complicated. On top of the technological complexity, you also have jurisdictional complexity, as the global nature of e-discovery often results in different levels of access depending on the international jurisdiction.”
Because of these challenges, Ehrhardt recommended counsel have awareness of IoT “and be thoughtful in what additional [data points] could be created inadvertently. With the IoT, that tracking or that collection of information is so passive. I think there is just a lack of filter or awareness.”
She also advised to consider the security implications of their IoT devices by asking, “What does that mean does it create another point of entry into your system? How are those devices interconnected to any of your company’s security measures?”
Such considerations can be pivotal given the potential vulnerabilities of IoT devices. In October 2016, for example, a multitude of IoT were hijacked by cybercriminals to launch one of the largest distributed denial of service attacks (DDoS) in history. The attack crippled a host of popular websites in the U.S. and Europe.
In light of such security and management issues, Ehrhardt hopes counsel would question why IoT devices would be necessary to have in-house. After all, “what’s the need to collect that data and open [yourselves up] from a privacy and security standpoint?”