The internet of things is the connection of a broad range of devices using an IP address. It can range from our smart TVs and phones, to our home security systems, thermostats … the list goes on. A popular prediction is that by 2020, the internet of things will comprise no less than 50 billion devices.
With this type of wide adoption, concerns over private data surface – how it is collected, how it is used, and how it may make your organization vulnerable to risk.
Connected cars, having an IP address, are part of the internet of things. Unless anonymized, all data that comes from a car is potentially personal, frequently behavioral, sometimes social, and now with payment systems, sensitive, financial, and reputational as well. As just one example, a connected car could have access to a credit card number, where the data subject drove before and after a purchase, and all of a phone’s contacts. It may also deduce where the data subject lives and works, how they typically drive, and whether the data subject is driving in a particularly erratic manner at a given moment.
Privacy and the Internet of Things: Understanding Risk
To paraphrase a recent TRUSTe Privacy Blog post, as the internet of things technologies advance and companies have greater monetary incentives to process the data, privacy and transparency should be considered. The more connected devices there are, the greater risk that they will be compromised. The FTC report “Internet of Things: Privacy & Security in a Connected World” indicates that fewer than 10,000 households together generate 150 million discrete data points every day.
Anticipating the need for increased vigilance in privacy protection, in late 2014, the Alliance of Automobile Manufacturers (representing almost all car manufacturers) developed and released a set of Consumer Protection Privacy Principles to be incorporated into the privacy policies and statements of car manufacturers.
Now, regulators are increasingly weighing in. When it comes to connected automobiles alone, privacy laws and enforcements are growing. In a keynote presentation at the 2016 Connected Cars conference, FTC Commissioner Terry Sweeney stated that the Commission was watching to ensure that automobiles protect the security and privacy of consumers. France’s data protection authority CNIL released a compliance package which provides guidelines for how to treat the personal data gathered by connected cars. This guideline is intended to be consistent with requirements under the EU General Data Protection Regulation (GDPR) when that law goes into effect next year.
IoT and Unauthorized Disclosure of Data: Incident or Breach?
Like any other privacy incident in which private, protected data is revealed without authorization, an incident involving an IoT device should be analyzed under all applicable breach notification laws and contractual obligations. When conducting a multi-factor risk assessment to determine if an incident meets a breach threshold, keep the following in mind:
- Understand the difference between an incident and a breach, it’s key to determining if your incident requires notification. Making this determination means answering questions such as: how was the data stored, how was it transmitted, were there adequate technical safeguards in place with respect to both… how much risk should be attributed to the recipient? Were they authorized? How likely are they to misuse the data? Are there any administrative or contractual protections on that relationship? After the incident, were there any mitigation measures taken, such as remotely wiping storage media, the changing of credentials, or other measures that could limit or remove further risk exposure?
- Proving consistency in your risk assessment process can help you pass audit – or even avoid coming under scrutiny of audit. Automation tools in incident response provide a consistent process for documenting and profiling the incident, scoring that incident against applicable laws, and generating incident specific notification guidance and decision-support.
- Track trends in incident categories and root causes. Learn from your incidents. Accurately identifying weaknesses in your systems, departments or processes can reduce the number of incidents and your organizational risk. Automation is key to ensuring proper analysis and risk mitigation.
2017 Privacy Risk Summit Session
For more on the topic of Privacy and the Internet of Things, attendees of the upcoming Privacy Risk Summit are invited to join the session “What’s your Wallet? The Privacy and Security of In-Car Payment Systems” on June 6, 2017 from 10:30 – 11:30 AM. A panel that includes K&L Gates attorneys from the US and Europe, a client manufacturer connected car technology and myself will discuss challenges of implementing the new standards imposed by the US Federal Trade Commission, as well as French, German and British data protection authorities. Panelists include:
- Jill Phillips, Sr Attorney, Privacy & Security, Intel
- Julia Jacobson, Partner (Boston Office), K&L Gates LLP
- Claude-Etienne Armingaud, Partner (Paris Office), K&L Gates LLP
- Alex Wall, Senior Counsel & Global Privacy Officer, RADAR, Inc.