Do you own a wireless router for your home or a printer that allows you to print wirelessly? How about a thermostat connected to the internet? Does your business use video cameras that transmit over the internet?
All of these internet-connected devices are part of the approximately 6.4 billion device (and growing) Internet of Things.
Individuals can use IoT to improve their own health, such as fitness trackers that monitor a user’s vital statistics, which are then stored on the user’s smartphone. IoT also can have practical application in manufacturing and industry, such as the use of smart-grid technologies by utilities in the efficient management and distribution of electricity service. Businesses rely increasingly upon IoT connectivity to automate processes, reach customers and clients quicker than ever, and enhance economies of scale in supply and service chains.
Estimates predict that the number of connected devices communicating through the internet will exceed 25 billion by 2020 – approximately four times the number of inhabitants on Earth. Trillions of dollars of IoT investment will occur internationally during this period of rapid expansion. Manufacturing, energy and utility sectors have led the IoT transformation, with health care, transportation and public sectors growing in their reliance on IoT technology.
Daily challenges persist in the management and protection of data generated and exchanged through internet-connected devices. Hackers use IoT devices as botnets, a group of hijacked devices injected with malware and controlled remotely without the owners’ knowledge. Botnets can launch distributed denial of service attacks to cause disruption of service to a website, an application or a network.
Hackers search for and exploit continuously IoT security vulnerabilities to access and misuse data relating to employees and customers. Inadequate security measures across platforms, from the IoT devices and hardware to the cloud servers where IoT data is stored, can make IoT devices easy targets for hackers. Such deficiencies can result in the unauthorized disclosure of personally identifiable, financial and health care information, as well as a company’s trade secrets.
With IoT technology still in its relative infancy, the security challenges mandate the prompt implementation of collaborative, cross-functional solutions.
Policies should articulate what devices can be attached to the company’s networks and the required authorizations. Training should focus employees on the proper use of connected devices and the risks of breaches both inside and outside the workplace, especially with the increase in remote workforces. Network scans must be performed with the strong understanding of the threats arising from connected devices. IoT security planning must start with purchasing evaluations and include routine inventorying of the devices connected to the company’s network.
The legal playing field applicable to the IoT is evolving. There is no single federal agency with overall regulatory oversight. The Federal Trade Commission, with its broad powers to protect consumers against unfair and deceptive trade practices, has been increasingly active in pursuing enforcement actions against companies for not adequately securing IoT devices.
Applicable governmental oversight will depend upon the sectors in which companies operate and data that they compile.
Businesses should monitor all state laws applicable to their operations and compilation of personally identifiable information, as state legislatures will assess the impact of IoT technologies on their privacy, identity theft and cybersecurity laws.
Steven M. Richard is a trial and appellate lawyer at Nixon Peabody LLP.
