This post was co-written by Montgomery McCracken associates Benjamin E. Fuller and Ernest D. Holtzheimer.
As the Internet of Things (“IoT”) continues to revolutionize the world through web enabled devices, from smart refrigerators to smart defibrillators, the companies engineering these devices need to be aware of the unique legal issues that result from enabling your device to be controlled through the Internet. Although there is a wide spectrum of legal implications from doing so, two of the most important – and often riskiest – areas of concern are data security and privacy.
Data Security
Self-explanatory in nature, data security generally refers to the protection of data. As companies begin releasing IoT products that wirelessly broadcast private and sensitive data such as health records, financial statements and personal calendar appointments, the security of this transmission, as well as the security of the device itself becomes paramount. Regardless of these issues, more and more entrepreneurs are entering this sector as innovative corporate conglomerates such as Apple, Google and Amazon continue to push web-connected devices. Without a strong emphasis on data security, we are only going to see more large scale data breaches across a wide variety of industries. While established companies like Home Depot and Target may be able to bounce back from a large scale data breach, lesser established startups could be bankrupted and put out of business by a single incident. With too many companies failing to account for data security at all, the problem has garnered the attention of the Federal Trade Commission, which in 2015, issued a report entitled “Internet of Things, Privacy & Security in a Connected World,” a highly recommended read for every company entering the IoT industry.
Privacy
Beyond data security, general privacy should be a concern for entrepreneurs entering the IoT marketplace. Whether a device always collects information, only collects information at the request of the user, or somewhere in the middle, it is best to always make your users aware of any collection of data.
In a recent highly publicized murder trial, the prosecution sought access to the defendant’s Amazon Echo smart speaker information. Prior to this lawsuit, many users were unaware of the fact that the Amazon Echo device always collects information. Specifically, it’s always listening for your wake-up command which cues it to start recording. The recording includes a snippet of what you said before, as well as the command that follows. The device sends your command to cloud servers, where your speech is interpreted and a response is sent back through the device. While Amazon denied access to the data and the issue has been appealed, this case highlights the fact that while your IoT company is under the control of someone else’s data, you might find yourself becoming involved in third party lawsuits.
There have also been cases outside of home automation, with devices like the Fitbit. In these instances, data has been used to disprove witness testimonies when their Fitbit data illustrates that the individual was in a different location during the time at issue.
To best protect a company, users should be given transparency for where and when their data is being taken. Likewise, users should know if the data is being stored locally or being sent to a server for analysis, as is often the case, and whether or not they have the ability to alter the frequency of their data collection, or if they can delete data records.
Failure to account for privacy and data security issues can lead to lawsuits, angry customers, and in turn, failed startups. If your device deals with private or personal information, follow best practices and work with your attorney to establish a detailed privacy and data security plan to build into your device which is tailored to the industry, location and type of data being transmitted or stored.