On January 27, 2015, the Federal Trade Commission “FTC” released a detailed report on the Internet of Things (“IoT”), recommending a series of concrete steps for businesses to enhance and protect consumers’ privacy and security.
The report includes several recommendations addressing four main topics.
First, it recommends the implementation of security measures for companies developing IoT, such as:
- building security into devices at the outset, rather than as an afterthought;
- training employees about security;
- ensuring that when outside service providers are hired they are capable of maintaining reasonable security;
- considering a “defense-in-depth” strategy whereby multiple layers of security may be used to defend against a particular risk;
- considering measures to keep unauthorized accesses to consumers’ devices, data, or personal information;
- monitoring connected devices throughout their expected life cycle, and where possible, provide security patches to cover known risks.
Second, it advocates data minimization: companies should limit the data they collect and retain, and dispose of data once no longer needed.
Third, FTC recommends that companies notify consumers and give them choices about how their information will be used, particularly when the data collection is beyond their reasonable expectations.
Regarding legislation, the report holds that IoT-specific legislation might be premature given the rapidly evolving nature of the technology. The report, however, calls for strong data security and breach notification legislation. FTC also reiterated its call for the development of self-regulatory programs to encourage the adoption of privacy- and security-sensitive practices.
The report on the IoT is available at http://www.ftc.gov…
Press release is available at http://www.ftc.gov…
On the same topic Int’l Conference of Data Prot. & Privacy declaration; and WP29′s Opinion of IoT