United States: FTC Issues Report On Privacy And Data Security Recommendations For Internet Of Things

On January 27, 2015, The Federal Trade Commission issued a report on staff¹ recommendations of best practices for businesses to protect consumer privacy and security in the growing world of Internet-connected devices. The Commission addressed four areas: (1) reasonable security for a device, (2) reasonable limitation of data collection, (3) reasonable notice and choice for data collection and use, and (4) whether legislation is appropriate. The report summarizes the Commission's workshop last fall attended by leading technologists, academics, industry representatives, consumer advocates, and others.

The report responds to the enormous expansion of devices that connect to the Internet through embedded sensors and wired or wireless technologies. This connected ecosystem, called the Internet of Things ("loT") is expected to expand from 25 billion devices by the end of this year to 50 billion by 2020. Commission Chairwoman Edith Ramirez stated in a press release that for the loT to reach its full potential, it must have "the trust of the American consumer."

The Commission recommends that companies:

Data Security

• build security into their devices early in the design process rather than as an afterthought. See Food & Drug Law Blog article on similar FDA guidance here;
• incorporate data security in their personnel practices, including hiring and employee training, and ensure executive level responsibility;
• exercise vendor oversight with an eye to their maintenance of data security;
• implement security measures at several levels, a "defense-in-depth approval," for systems that post significant risk;
• limit access to the device, data, and the consumer's network; and
• monitor and assess a device, including any patches, through its entire life cycle.

Data Minimization and Notice

• develop policies and practices imposing reasonable limits on collection and retention of consumer data, balancing beneficial use of collected data with privacy protection; and
• allow consumers to limit the collection or use of their data when such collection or use is inconsistent with the context of the transaction.

The Commission staff stops short of advocating for IoT-specific legislation, recognizing that it may be premature in an area with such great potential for innovation. However, the report reiterates the Commission's prior recommendation that Congress enact "strong, flexible, and technology-neutral federal legislature to strengthen its existing data security enforcement tools and to provide notification to consumers when there is a security breach." To ensure that loT companies continue to consider security and privacy issues as they develop new devices and services, the Commission cautioned that it would continue to enforce existing federal law, including the FTC Act, the Fair Credit Reporting Act (FCRA), the Children's Online Privacy Protection Act (COPPA), the Health Information Technology for Economic and Clinical Health (HI-TECH) Act.

As the IoT continues to grow, developers and manufacturers can expect more regulation and guidance from governmental agencies addressing consumer security and privacy concerns.

Footnote

1. The Commission vote to issue the staff report was 4-1, with Commissioner Wright voting no. Commissioner Ohlhausen issued a concurring statement, expressing some concern at the Commission's precautionary support for data minimization, and Commissioner Wright issued a dissenting statement, cautioning that that the best practices and recommendations lacked analytical support.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.