Privacy, security, and data ownership issues surrounding Internet of Things devices are creating a host of new legal questions and problems. Here’s what’s happening now, and what you need to know.
Drones, wearables, the Internet of Everything: As more and more data about individuals and businesses is collected and combined, new waves of litigation and lawmaking will follow.
Internet of Things (IoT) devices represent potential points of security failures, and the data they generate or collect is raising new privacy concerns. In addition, since the IoT involves an entire value chain of hardware, software, and services, data ownership issues may arise among different parties, including the device manufacturers, software providers, service providers, end users, and others.
“As of today, information collected via devices generally can be used for almost any purpose, which is pretty scary as a consumer. It’s also scary for businesses, because there are a wide variety of instances where issues can arise,” said James Goodnow, a partner at law firm Lamber Goodnow, in an interview.
For example, some businesses are encouraging employees to use Fitbits or other health wearables. Those companies are often focused on the positive aspects of device use, such as wellness (which can potentially reduce the healthcare premiums they pay and reduce the number of sick days employees use). However, the same organizations may not have considered the potential risks of embracing such devices.
(Image: jeffrrb via Pixabay)
“Right now, it’s probably not a good idea for employers to collect that information, because the laws are unclear and you may be setting yourself up for problems,” said Goodnow. “If you’re collecting health information and it’s decided the person needs to be terminated, you’ve exposed your company to liability. The information you’ve collected may show a disability by tracking heart rate or activity or that someone isn’t as healthy as they should be.”
If it is determined that the employee is a member of a protected class, as defined by the Americans with Disabilities Act (ADA), then unlawful discrimination allegations may arise. So, before being seduced by the potential benefits of IoT devices, make sure you also understand the potential risks.
More Data, Less Privacy
There is no shortage of gadgets generating and collecting data. In fact, Gartner estimates that 6.4 billion “things” will be used worldwide in 2016. In the rush to introduce the latest and greatest devices, manufacturers may not have adequately contemplated privacy and security issues.
For example, VTech is being sued in Illinois for fraud and deceptive business practices, breach of contract, breach of good faith and fair dealing, breach of implied warranty, and negligence. Its product was allegedly vulnerable to a SQL injection attack that allowed hackers to steal the personal information of 2.8 million parents and children.
New classes of devices, including wearables and drones, are collecting information that may not have been available previously, or may not have been cost-effective to procure, particularly in a persistent way, in the past.
“Consumers are going to be providing information to products in a new way that companies have not thought of. Those companies may not have thought about privacy the same way an Internet-facing line of business in the same organization would,” said Nicholas Merker, co-chair of the data security and privacy practice at law firm Ice Miller, in an interview. “If you’ve never captured information in your product and you want to start now, you’re going to have some of the problems folks had in the Internet era when they started doing the same thing.”
Disclosure — explaining how the information generated or collected by the device will be used — is another consideration device manufacturers and their customers may be overlooking.
“Disclosures are about what [the product] is and how to use it, and not focused on how data is used and how it’s collected,” said Paul Bond, co-leader of the information technology, privacy, and data security group at law firm Reed Smith, in an interview. “That’s especially true for devices that have no keyboard or interface, so the thought is, it’s not collecting [personally identifiable information].”
Further, the data generated or gathered by IoT devices may be demanded in a lawsuit as part of “any electronically stored information,” which is why companies should consider whether they want to store such information in the first place — and if so, what the potential risks might be.
“If you’re forking information over about your employees, you’re going to have some pretty unhappy employees and potentially more liability arising from that,” said Goodnow.
And, of course, IoT devices are a new playground for hackers — cars, medical devices, and even guns are potentially vulnerable. In some cases, those devices may be used as a way of infecting other connected systems, which means companies may find themselves liable for issues they didn’t even anticipate.
For its 2015 IT Risk/Reward Barometer, nonprofit IT industry association ISACA surveyed 7,016 of its members in 140 countries in August and September 2015. The vast majority of IT professionals polled (77%) said that the IoT has benefited their company. However, 73% do not believe IT industry security standards sufficiently address the risks. Further, 49% of respondents said they do not believe their IT department is even aware of all the connected devices in their organization. Those are the kinds of vulnerabilities that can expose companies to potential liability.
Data Ownership Rights May Arise
Individuals like to think they own their own data, but in the US, consumers and business users are freely trading it for the privilege of using a product or service. Contracts, including end-user license agreements (EULAs), define who owns the data — which is another reason not to mindlessly rip open a package or click on an “I agree” button.
And, because IoT devices operate as part of an ecosystem, and many of the devices are being designed to communicate with each other, data ownership can become a very real issue. In fact, even farmers are being advised to understand data ownership issues before negotiating contracts with drone manufacturers.
Is your organization encouraging employee use of IoT devices? Would you want to work for a company that asks employees to wear Fitbits or other health trackers? Is your company aware of the legal issues involved in collecting personally identifiable information from employees or customers? Tell us all about it in the comments section below.
“How are you capturing the data? How is that data being shared? What was the customer told? What did the customer consent to? These are issues that have to be looked at. And if you go international, there’s such a state of uncertainty now that you really have to pay attention to those things,” said Daren Orzechowski, a partner at law firm White & Case, in an interview.
As more traditional products, such as refrigerators, take on the non-traditional roles of generating, collecting, and disseminating data, it may not be possible to anticipate all of the data ownership issues upfront, since data collected for one purpose at one point in time may be used for another purpose later when combined with other types of data.
“This is the Wild West right now when it comes to data ownership questions. It’s a murky area, a very undefined area, and it’s an area that we’ll certainly see an uptick in litigation in the coming years,” said Goodnow.
The data generated by devices, such as a user’s heart rate, is currently treated as owned by the hosting company or device manufacturer, Goodnow said. Manufacturers are using that information to understand customers — and they may also be selling the information to third parties.
“This information, including sensitive health information, is being widely disseminated and brokered. The question is, what legislation is there, and federally, it’s essentially none,” said Goodnow.
Not All Lawsuits Will Succeed
In the US, some class-action suits for privacy breaches are being dismissed. Either the members of the class are unable to demonstrate actual harm (specifically, a quantifiable amount of monetary damage) or they fail to share a common injury (e.g., one person suffers full-blown identity theft while another simply has credit card information stolen).
“The idea of a class action is there’s one set of common facts,” said Orzechowski. “There’s a case right now with the Supreme Court involving Spokeo that’s looking at what kind of [damages need to be shown] to go forward with these types of cases where there’s an information that’s been [disseminated] or a privacy breach.”
Businesses sharing data internationally have to understand the rules of the various jurisdictions. For example, the EU is overhauling its data protection rules to make them more uniform among member countries, including fines of up to four percent of a company’s global revenue.
“Data is one of the main unsettled questions in American privacy law. There has been a push to say that I as an individual own information about myself,” said Reed Smith’s Bond. “The idea of individual ownership doesn’t fit in with most ideas of what property is, so it’s really more of a question of who controls it.”
The level of legal uncertainty is symptomatic of early stage, technology-fueled innovation that outpaces lawmaking ability — which means we’ll likely see some high-profile breaches and disputes in the near future. The dynamics will likely influence business practices, technology adoption, consumer expectations, and the legal landscape, although to what extent is not yet obvious.
Lisa Morgan is a freelance writer who covers big data and BI for InformationWeek. She has contributed articles, reports, and other types of content to various publications and sites ranging from SD Times to the Economist Intelligent Unit. Frequent areas of coverage include … View Full Bio