• It’s 11:30 PM, Do You Know Where Your Data Is? Privacy & Connected Devices
  • October 13, 2014 | Author: Cynthia J. Larose
  • Law Firm: Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. - Boston Office
  • This marks the second week of National Cyber Security Awareness Month, and one focused on the Secure Development of IT Products, so it seems only appropriate to discuss security and The Internet of Things and a recent panel discussion on privacy and IoT.

    Last week, privacy and security professionals gathered at CyberTech’s CyberFest 2014 in San Diego, which included a panel on IoT: War on Privacy. Moderated by Justine Phillips of Sheppard Mullin, panelists included:

    • Cynthia Larose, Mintz Levin (and editor of this blog)
    • Eric Trapp, E&Y
    • Stephen Cobb, ESET NA, and
    • Beth Givens, Privacy Rights Clearinghouse

    What’s “IoT” or The Internet of Things?

    The Internet of Things (IoT) - or connected devices - is becoming more pervasive in our lives. Popular products range from home automation tools like Nest to those that enable “the quantified self” like activity and sleep trackers like Fitbit and Sense from hello .

    So, why does privacy and security matter with the Internet of Things?

    The panel laid the groundwork explaining why “bad guys” gaining access to your seemingly innocuous running log could be dangerous in the wrong hands.

    Much like identity theft “dumpster divers” of the pre-Internet days, hackers can use a variety of information to compile a “profile” based on your behavior and triangulate different data about you. Your running data may tell someone you’re out on a run - not at home - and your home is vulnerable for a break-in.

    According to Givens, the three thriving areas of connected devices right now are fitness and health, home and automotive. Since automotive records your location, this could reveal a lot about you.

    What should companies do?

    First, companies absolutely must invest in accurate and thorough privacy policies and be sure they understand their liability—whether they’re storing, broadcasting or aggregating information. Though businesses can purchase insurance for many data breach instances, they must meet minimum standards in order to even be considered insurable, including having a sound privacy policy.

    Additionally, keep privacy at the forefront of design and development—not an afterthought. Privacy by Design and “security by design” can be market differentiators, as more consumers are looking to have control over their privacy. In addition to being clear about your policy, always allow users to opt out. While it may not seem like it’s in the best interest of your company because you might want to collect data, the trust of users pays for itself in the long run.

    Larose put it simply when she encouraged companies to “Do what you say, and say what you do.” That means make your privacy and security policies clear and straightforward, then stand by them. Be sure that you can deliver on your promises.

    Finally, only collect or keep data that you absolutely need. As Larose said, “If you don’t have it, you can’t lose it!”

    What can users do?

    Consumers, too, must understand their rights. Users are in control of the market value of secure products. Stephen Cobb pointed out that users can start by voting with their wallets and investing in privacy and security - so the next time you’re shopping for a router or other tech product, instead of asking for the cheapest, ask for the most secure.