IoT Raises New Legal Challenges For Business
Privacy, security, and data ownership issues surrounding Internet of Things devices are creating a host of new legal questions and problems. Here’s what’s happening now, and what you need to know.
Twitter’s Top Data Science, Analytics, And BI Feeds
(Click image for larger view and slideshow.)
Drones, wearables, the Internet of Everything: As more and more data about individuals and businesses is collected and combined, new waves of litigation and lawmaking will follow.
Internet of Things (IoT) devices represent potential points of security failures, and the data they generate or collect is raising new privacy concerns. In addition, since the IoT involves an entire value chain of hardware, software, and services, data ownership issues may arise among different parties, including the device manufacturers, software providers, service providers, end users, and others.
“As of today, information collected via devices generally can be used for almost any purpose, which is pretty scary as a consumer. It’s also scary for businesses, because there are a wide variety of instances where issues can arise,” said James Goodnow, a partner at law firm Lamber Goodnow
, in an interview.
For example, some businesses are encouraging employees to use Fitbits or other health wearables. Those companies are often focused on the positive aspects of device use, such as wellness (which can potentially reduce the healthcare premiums
they pay and reduce the number of sick days employees use
). However, the same organizations may not have considered the potential risks of embracing such devices.
“Right now, it’s probably not a good idea for employers to collect that information, because the laws are unclear and you may be setting yourself up for problems,” said Goodnow. “If you’re collecting health information and it’s decided the person needs to be terminated, you’ve exposed your company to liability. The information you’ve collected may show a disability by tracking heart rate or activity or that someone isn’t as healthy as they should be.”
If it is determined that the employee is a member of a protected class, as defined by the Americans with Disabilities Act (ADA), then unlawful discrimination allegations may arise. So, before being seduced by the potential benefits of IoT devices, make sure you also understand the potential risks.
More Data, Less Privacy
There is no shortage of gadgets generating and collecting data. In fact, Gartner estimates that 6.4 billion “things”
will be used worldwide in 2016. In the rush to introduce the latest and greatest devices, manufacturers may not have adequately contemplated privacy and security issues.
For example, VTech is being sued
in Illinois for fraud and deceptive business practices, breach of contract, breach of good faith and fair dealing, breach of implied warranty, and negligence. Its product was allegedly vulnerable to a SQL injection attack that allowed hackers to steal the personal information of 2.8 million parents and children.
New classes of devices, including wearables and drones, are collecting information that may not have been available previously, or may not have been cost-effective to procure, particularly in a persistent way, in the past.
“Consumers are going to be providing information to products in a new way that companies have not thought of. Those companies may not have thought about privacy the same way an Internet-facing line of business in the same organization would,” said Nicholas Merker, co-chair of the data security and privacy practice at law firm Ice Miller
, in an interview. “If you’ve never captured information in your product and you want to start now, you’re going to have some of the problems folks had in the Internet era when they started doing the same thing.”
Disclosure — explaining how the information generated or collected by the device will be used — is another consideration device manufacturers and their customers may be overlooking.
“Disclosures are about what [the product] is and how to use it, and not focused on how data is used and how it’s collected,” said Paul Bond, co-leader of the information technology, privacy, and data security group at law firm Reed Smith
, in an interview. “That’s especially true for devices that have no keyboard or interface, so the thought is, it’s not collecting [personally identifiable information].”
Further, the data generated or gathered by IoT devices may be demanded in a lawsuit as part of “any electronically stored information,” which is why companies should consider whether they want to store such information in the first place — and if so, what the potential risks might be.
“If you’re forking information over about your employees, you’re going to have some pretty unhappy employees and potentially more liability arising from that,” said Goodnow.
And, of course, IoT devices are a new playground for hackers — cars, medical devices, and even guns
are potentially vulnerable. In some cases, those devices may be used as a way of infecting other connected systems, which means companies may find themselves liable for issues they didn’t even anticipate.
For its 2015 IT Risk/Reward Barometer
, nonprofit IT industry association ISACA surveyed 7,016 of its members in 140 countries in August and September 2015. The vast majority of IT professionals polled (77%) said that the IoT has benefited their company. However, 73% do not believe IT industry security standards sufficiently address the risks. Further, 49% of respondents said they do not believe their IT department is even aware of all the connected devices in their organization. Those are the kinds of vulnerabilities that can expose companies to potential liability.
Data Ownership Rights May Arise
Individuals like to think they own their own data, but in the US, consumers and business users are freely trading it for the privilege of using a product or service. Contracts, including end-user license agreements (EULAs), define who owns the data — which is another reason not to mindlessly rip open a package or click on an “I agree” button.
And, because IoT devices operate as part of an ecosystem, and many of the devices are being designed to communicate with each other, data ownership can become a very real issue. In fact, even farmers are being advised
to understand data ownership issues before negotiating contracts with drone manufacturers.
Is your organization encouraging employee use of IoT devices? Would you want to work for a company that asks employees to wear Fitbits or other health trackers? Is your company aware of the legal issues involved in collecting personally identifiable information from employees or customers? Tell us all about it in the comments section below.
Lisa Morgan is a freelance writer who covers big data and BI for InformationWeek. She has contributed articles, reports, and other types of content to various publications and sites ranging from SD Times to the Economist Intelligent Unit. Frequent areas of coverage include … View Full Bio
1 of 2