The Federal Trade Commission (FTC) released a report this week examining the privacy and security implications of the so-called “Internet of Things.” The Internet of Things (IoT) refers to the ability of everyday objects to connect to the Internet and to send and receive data. As the number of connected devices has surged in recent years, the FTC has signaled a strong interest in the IoT and repeatedly warned businesses to be mindful of consumer privacy and security when developing new products.
The report, titled “Internet of Things: Privacy & Security in a Connected World,” follows the FTC’s public workshop on the IoT, which the Commission held in Washington, DC, in November 2013. The report summarizes that workshop and also provides recommendations from FTC staff for how best to protect consumer privacy and security in a world with 25 billion connected consumer devices. In particular, the report provides the following recommendations for companies developing IoT devices:
- Build security into devices at the outset, rather than as an afterthought in the design process;
- Train employees about the importance of security, and ensure that security is managed at an appropriate level in the organization;
- Ensure that, when outside service providers are hired, those providers are capable of maintaining reasonable security, and provide reasonable oversight of the providers;
- When a security risk is identified, consider a “defense-in-depth” strategy whereby multiple layers of security may be used to defend against a particular risk;
- Consider measures to keep unauthorized users from accessing a consumer’s device, data, or personal information stored on the network; and
- Monitor connected devices throughout their expected life cycle and, where feasible, provide security patches to cover known risks.
The report (available here) also encourages companies to limit their collection of consumer data, to retain consumer information only for a set period of time, and to provide consumers with meaningful notice and choice regarding how their information will be used. Although the FTC is not currently recommending legislation in this area, the Commission has noted that it has a range of existing tools available to protect consumer privacy, including the FTC Act, the Fair Credit Reporting Act, and the Children’s Online Privacy Protection Act.
In addition to the general IoT report, the FTC also released a separate report specifically for businesses with IoT products. That report, titled “Careful Connections: Building Security in the Internet of Things,” provides advice for businesses about building security into IoT products, including proper authentication, reasonable security measures, and carefully considered default settings.