Internet of Things and Privacy Issues

Transcription

1 The Iowa State Bar Association s ecommerce & Intellectual Property Law Sections presents 2015 ecommerce & Intellectual Property Law Seminar Internet of Things and Privacy Issues 9:30 10:15 am Presented By Srikant Mikkilineni Brick Gentry P.C Westown Parkway, Suite 100 West Des Moines, IA Phone: Friday, December 11, 2015

2 Brick Gentry P.C. 2015

3 What is the Internet of Things ( IoT ) Current Implementation Wearables Smart Appliances and Sensors Future Implementation Smart Automobiles Smart Communities Interoperability and Communications Challenges in Securing IoT Embedded Systems & Integrated Sensors 2

4 Risks in Utilizing IoT Devices Accountability who bears the liability? Attorneys Clients Security and Privacy Concerns Related to IoT Law and Regulations Potentially Pertaining to Privacy and Data Security in IoT Devices Compliance with Orders and Contract Requirements Safety Use of IoT Data as Evidence Manipulation of Electronic Evidence Risk Management 3

5 1. 4

6 Defined as a proposed development of the Internet in which everyday objects have network connectivity, allowing them to send and receive data. Typically IoT devices are embedded computing devices that are uniquely identified and allow for the sharing and aggregation of information collected by each device. IoT devices are not all physical objects they can exist as identifiable software/virtual objects. For example Tesla s database of autopilot information available to all other Teslas. 5

7 IoT Devices can include: Current: Industrial Robots Supply Line Trackers (RFID trackers) Fitness Trackers, Smart Watches, and other Wearables Smart Appliances Smart Control Systems (i.e. Building Environmental Controls) Drones Emerging: Smart Automobiles Medical Devices Transportation Monitors Connected Grids 6

8 Primary Features of IoT: Interconnection with the Internet or other global information/communication infrastructures. Current implementations of IoT are highly heterogeneous, each device, or brand of devices, relies on its own hardware and network or service platform to communicate with other IoT devices from the same brand. However, it is likely this will change or at least move toward more compatible cross-brand communication as the industry matures. 7

9 Primary Features of IoT: Heterogeneous data collection, IoT devices are also unique in that they collect information specific to their task or role based on heterogeneous hardware and networks that can then interact with other compatible networks. Can scale as needed meaning IoT devices can and are being added in huge numbers and are all managed and communicate with each other in greater numbers than anything previously seen. The FTC estimates there are currently 25 billion connected devices and will grow to 50 billion devices by 2020 thanks in large part to IoT devices. 8

10 Primary Features of IoT: Devices can be controlled remotely and states of devices can change dynamically. For example, a connected coffee pot can be told to check your calendar every morning at a specific time and then brew a pot of coffee one hour prior to your first appointment of the day. Another example could be a smart dongle for your car, provided by your insurance company, that can be remotely monitored by authorized users as to the location, speed, and diagnostics of the vehicle after initial authorization from the vehicle owner. 9

11 Primary Features of IoT: Autonomic Networking and Service Provisioning IoT Devices are generally Plug-and-Play, meaning the user simply plugs the device in and the device connects to the existing network and begins operating with minimal setup by the user. This is possible because of the autonomic nature of IoT devices. Specifically, many IoT devices are self-managing, self-configuring, and self-protecting. Many IoT devices are location aware or have location based capabilities. Geo-fencing 10

12 As the number of IoT devices on a network increase, the number of potential vulnerabilities in a network also increase. This affects not only security but also data privacy. For example, a hospital starts using connected blood pressure monitors in every patient s room if one or more of those blood pressure monitors is insecure or defective, the hospital s entire network and data security measures are potentially compromised. Ease of use in IoT systems is sometimes at the expense of security. 11

13 Many IoT device manufacturers and platform providers have taken a cloud approach. With cloud based IoT devices, the devices transmit information to a cloud database, normally administered by the platform provider. Who owns the data transmitted to the cloud, the user or the platform provider? Most IoT devices have a long lifecycle they are meant to be setup once and then automatically maintain their functionality for a long period of time. Unlike cellphones and laptops which are refreshed, at minimum, every year or so. 12

14 Some IoT devices are now being installed in the infrastructure of a building which makes replacement impractical or impossible. IoT devices are being manufactured at an incredible pace to try to meet demand, which can lead to improper design and implementation. Security illiterate product manufacturers are also an issue. There is a lack of accountability for device security currently 13

15 Security vulnerabilities can go unnoticed for longer periods of time because users likely have less interaction with IoT devices after the initial setup. IoT devices are designed to assist in machine interaction and data sharing to create a result without human interaction. Improperly configured IoT devices with inadequate or non-existent software update mechanism are also a challenge. 14

16 Accountability: Products liability concerns: Ordinary and gross negligence Express and implied warranties, including merchantability and fitness for a particular purpose Strict liability, in certain circumstances Fraud False advertising Unfair trade practices Risk of bodily injury and death IoT medical devices with insecure implementations could lead to patient harm/death. Autonomous cars with security vulnerabilities could lead to passenger harm/death or a defective embedded system can lead to unintended action by the car, i.e. unintended acceleration, causing harm/death to occupants. 15

17 For Attorneys and Clients alike: Breach of attorney-client privilege Utilizing IoT Devices may lead to an inadvertent waiver of privilege. Data ownership considerations Users may not own data collected by IoT devices and sent to cloud platform. Additionally, IoT device data may be accessible to third parties, i.e. platform provider, which may breach attorney-client privilege. Component or device supply chain risks Risk of using IoT devices with unknown sources of component parts in highly sensitive data handling situations. 16

18 For Attorneys and Clients alike: Data security and privacy considerations IoT device(s) may be weak link in security chain of a network creating security risk(s) and allowing for data breaches Privacy considerations with the use/regulation of drones and IoT cameras Use of IoT data as evidence Regulatory compliance Current and future compliance issues 17

19 Current sources of data security and breach notification regulation Family Educational Rights and Privacy Act (FERPA) Gramm-Leach-Bliley Act (GLBA) Health Insurance Portability and Accountability Act (HIPAA) Health Information Technology for Economic and Clinical Health Act (HITECH) Sarbanes Oxley (SOX) State laws on data breach notification requirements 18

20 Compelled disclosure to the government Electronic Communications Privacy Act and the Stored Communications Act Patriot Act Court Orders and Warrants Industry Standards Many industries have their own data security standards, such as PCI DSS in the credit card payment industry, for sensitive data transmitted over the Internet and/or stored in the cloud which may be affected by IoT devices on the same or interconnected networks in the future. 19

21 Contractual Standards Compliance with negotiated standards with a vendor or third-party. Future Regulation The FTC continues to recommend enactment of strong, flexible, and technology-neutral federal legislation to strengthen its existing data security enforcement tools and to provide notification to customers when there is a security breach. 2 Potential safety regulations specific to IoT challenges and products liability 2. FTC Staff Report, January 2015, 20

22 Use of electronic records or electronically stored information ( ESI ) as evidence has increased rapidly. ESI has its own risks: They are typically more easily altered They can be more easily misinterpreted For example, a sleep tracker records a user s movement during sleep and the platform algorithm interprets the movement as being awake rather than asleep. 21

23 IoT devices have the potential to provide a wealth of ESI. Multiple cases utilizing Fitbit data to provide location and/or activity data of a suspect Case from earlier this year where a woman claimed she was sleeping and woke up to a man attempting to sexually assault her. However, after police recovered the woman s Fitbit band, which she had claimed was lost during the struggle with the man, the band and downloaded data showed she was awake and walking around at the time she claimed she was sleeping. Along with other evidence contradicting an assault, the woman was charged with false reports to law enforcement, false alarms to public safety, and tampering with evidence. 22

24 As pervasive computing becomes more and more omnipresent so does ESI that may potentially become evidence. Attorneys on both sides of a case will need to consider ESI beyond the typical s and text messages going forward. Additionally, it will fall to the attorney to advise clients of potential uses of IoT data and other ESI as well as security and privacy legal issues related to IoT devices. 23

25 Attorneys must be aware of potential threats to maintaining attorney-client privilege. Utilizing a network of IoT Devices at a firm may lead to greater efficiency of the attorneys and the firm, but may also create a security threat if the devices are not properly vetted prior to installation. Additionally, attorneys utilizing fitness trackers, smart watches, other wearables, and even mobile phone apps should assess the type of data shared and where the sharing is occurring. For example, an attorney with the FourSquare app installed on his/her phone has the app automatically check-in anytime the app recognizes a location and also post the location to his/her Facebook wall. 24

26 Similarly clients should be made aware of potential threats to maintaining attorney-client privilege by utilizing IoT devices. Clients should be aware of and counseled on the types and amount of data they are sharing on IoT networks. Clients should be made aware that data collected by IoT devices may not be owned by the client or may be accessible to third-parties, i.e. the IoT device provider. Additionally, client s data may be stored on a platform even after the client stops using the associated IoT device(s) and/or closes their platform account. 25

27 Clients and attorneys should be aware of the potential use of data collected from implemented IoT devices as evidence at trial. Clients should be aware that information beyond the collected data may be subject to ediscovery, i.e. source code, updates, etc. Clients should work with counsel to develop policies and procedure for information governance and regulation compliance. Clients and attorneys should keep a regularly updated inventory of all IoT devices on the premises. Including devices that are integrated into the infrastructure of the building. 26

28 Clients and attorneys should regularly assess if anticipated and currently implemented IoT devices constitute a potential weak-point in network security and patch any known vulnerabilities. Clients and attorneys should include IoT devices as part of their network security audit for compliance with state, federal, industry, and contracted requirements. Clients should manage risk through contract whenever possible 27

29 For highly sensitive data, clients should also be aware of supply chain risks. For example, an IoT device utilizes a component chip designed and manufactured in China. For highly sensitive applications, such as use in secure government facilities, the client needs to be aware of risks with utilizing a chip sourced in China where subversive code can be added to the chip/device if there is not proper oversight. Clients should work with counsel to determine the sensitivity of the data available to, and potentially accessible by, an IoT device(s) and the risks associated with implementing the IoT device(s) before such implementation. 28

30 Clients developing IoT products should implement reasonable security according to the FTC Staff Report from January What is reasonable security? Must consider the amount and sensitivity of the data collected and the cost of remedying security vulnerabilities. For Example, greater security measures should be taken with IoT devices collecting medical information of patients. Clients should integrate security considerations early into the design process, including: Training employees on good security measures; Implementing access control measures; Minimizing data collection and retention beyond required scope, Assessing privacy risk; Testing security measures; and Monitoring products throughout their lifecycle and patching known vulnerabilities whenever possible. 29

31 Srikant Mikkilineni (515)