611 Anton Boulevard, Suite 1400 • Costa Mesa, CA 92626 • 714.641.51003000 El Camino Real, Suite 200, Building 5 • Palo Alto, CA 94306 • 650.320.1500

I. Introduction

In the technology space, there are few terms creating more of a buzz at the moment than“cybersecurity” and “the Internet of Things (IoT).” Although security analysts and information technology (IT) specialists are taking the combination of cybersecurity and IoT devices seriously, it appears legislatures and regulators are currently foregoing enactment of legislation and regulations, respectively, covering IoT devices and the data they collect. This approach may be acceptable while the IoT is in its infancy, but as the number of IoT devices in use worldwide grows exponentially over the next few years, legislatures will likely need to consider addressing such issues.

When considering cybersecurity issues related to IoT devices, one initial question many people have is: What is an IoT device? Although no official definition of the term exists, the Internet of Things is defined by the Oxford Online Dictionary as “[t]he interconnection via the Internet of computing devices embedded in everyday objects, enabling them to send and receive data.” Therefore, an IoT device may include any device that is capable of connecting to the Internet, directly or indirectly (e.g., through a wireless hub), and sending and/or receiving data. Today, beyond laptops and mobile phones, IoT devices include everyday objects such as watches, thermostats, televisions (TVs), door locks, washing machines and even cars.

II. How invasive have IoT devices become?

According to the “Internet Security Threat Report,” there were approximately 3.9 billion IoT devices worldwide in 2014. In 2015, that number rose to 4.9 billion and currently sits at 6.4 billion. The rate of deployment of IoT devices appears to be increasing, as the number of IoT devices worldwide is anticipated to reach 20.8 billion by 2020. Beyond the sheer number of IoT devices currently in use worldwide today, the IoT devices are collecting highly personal information. For example, smart watches may collect health data and track a wearer’s geographical location. As a second example, smart TVs may record credit card information used to purchase movies or shows while also recording a household’s television watching habits. Additionally, smart door locks maintain information on who

1

2

4

6

3

Privacy and Security Concerns Resulting From A Lack of Regulation of IoT Devices and the Data Collected Therefrom

by Kyle St. James

GUIDING CLIENTS TO SUCCESS

www.rutan.com

and when persons are accessing a “connected” home. Thus, although IoT devices provide numerous benefits to their users, IoT devices present security and privacy concerns as well.

IV. Can current legislation be used to handle security and privacy concerns related to IoT devices?

Although no current legislation has been enacted that focuses on privacy and security issues generated by IoT devices, some current legislation may be applied to IoT devices and the information they collect. For example, the Security Rule of the Health Insurance Portability and Accountability Act (HIPAA) establishes a national standard for protecting certain health information that is held or transferred in electronic form. The Security Rule of HIPAA is enforced by the Office of Civil Rights within the U.S. Dept. of Health and Human Services, and non-compliance may result in civil penalties. Specifically, HIPAA provides regulations regarding the privacy and security of PHI collected by “covered entities,” which are defined as health care providers that conduct certain standard administrative and financial transactions in electronic form, health care clearinghouses, or health plans. HIPAA defines “protected health information” (PHI) as information that relates to an individual’s past, present, or future physical or mental health or condition, the (i) provision of health care to the individual, or the past, present, or future payment for the provision of health care to the individual, and

13

7

8

9

10

11

12

III. How has the explosion of IoT devices become a problem?

IoT devices offer numerous benefits – for example, companies may automate and track processes that previously required human resources and individuals may monitor fitness goals in efforts to lead healthier lives. However, any company relying on IoT devices can be disrupted, even temporarily “shut down,” due to a cybersecurity attack. Additionally, those utilizing IoT devices to track fitness goals or automate a household may fall victim to theft of protected health information (PHI) or financial information, which may be used for public dissemination, blackmail, or other malicious purposes. These are only a few examples of how cyberattacks via IoT devices may potentially disrupt the way of life for thousands, or even millions, of individuals.

Even today as the IoT is in its infancy, there are plenty of known vulnerabilities with IoT devices that allow for cyberattacks. A technology company that primarily develops software security, Symantec, provided multiple examples of proof-of-concept cyberattacks to IoT devices. For example, Fiat Chrysler recalled 1.4 million vehicles after researchers demonstrated a proof-of-concept attack where they managed to take control of a vehicle remotely. Additionally, Symantec reports findings of vulnerabilities in smart door locks, medical devices such as insulin pumps and implantable defibrillators for example, and other electronic devices such as routers, webcams, and smart TVs. Similarly, antivirus software developer, Bitdefender, tested several commercially available IoT devices and found several vulnerabilities. For instance, Bitdefender found vulnerabilities in the WeMo Switch, Lifx Bulb, LinkHub from GE, and the MUZO Cobblestone Wi-Fi Audio Receiver. As one example, Bitdefender found that a vulnerability in the software controlling the Lifx Bulb allowed a hacker to steal credentials of a user’s home wireless network.

Thus, as IoT devices continue to be further integrated into users’ lives, more opportunities will arise for a hacker to exploit vulnerabilities in the IoT devices and steal personal health information and/or financial data. Similarly, as more and more data is collected by IoT devices, device developers will be tasked with storing this data and avoiding the use of the data in a manner inconsistent with users’ expectations.

611 Anton Boulevard, Suite 1400 • Costa Mesa, CA 92626 • 714.641.5100

3000 El Camino Real, Suite 200, Building 5 • Palo Alto, CA 94306 • 650.320.1500

V. Problems created by the discrepancy in applicability of current legislation to entities handlingdata collected from IoT devices

As the number of IoT devices in use worldwide climbs toward 20 billion, the majority of IoT devices will remain common, everyday objects not affiliated with covered entities as defined by HIPAA. Thus, the data collected by those devices will remain uncovered by HIPAA, and, without any additional legislation, remain unregulated. Therefore, the collection, storage and usage of data by technology companies that develop and manufacture IoT devices will remain unregulated. This discrepancy between the regulation of data collected, stored and transmitted by covered entities compared to the same data collected, stored and transmitted by technology companies may lead to privacy and security issues.

(ii) that identifies the individual or for which there is a reasonable basis, to believe can be used toidentify the individual. PHI includes many common identifiers (e.g., name, address, birth date, SocialSecurity Number, demographic information) when they can be associated with the individual’s healthinformation.

Therefore, data collected by health devices provided by health care providers is covered under the Security Rule of HIPAA when the data can be linked to a particular patient. However, the majority of IoT devices are common, everyday objects that collect sensitive personal and financial information, the security and privacy of which is not covered by HIPAA.

14

Although the FTC recommended not pursuing legislation specifically regulating IoT devices and the data collected by them, the FTC did recommend enacting general data security legislation applicable to the collection, storage, transmission and usage of all sensitive, personal data. Such general security and privacy legislation would help protect against sensitive, personal data being (i) collected without consumer knowledge or consent, (ii) stored in a manner that does not meet industry-wide standards, and (iii) used in a manner inconsistent with consumers’ expectations. Clearly, the FTC is starting to prepare for an automated world and the challenges that await. We expect to continue to see over the next few years, a growing urgency by the FTC, and legislatures, to develop and enact legislation regulating the IoT and IoT devices to brace for potential cyberattacks that could cripple households, companies, industries, or even geographic regions.

15

1 Internet of things, Oxford Dictionaries, http://www.oxforddictionaries.com/us/definition/american_english/internet-of-things (last visited June 13, 2016).Internet Security Threat Report, Volume 21, Symantec Corporation, 17, (April 2016), available at https://www.symantec.com/content/dam/symantec/docs/reports/istr-21-2016-en.pdfId.Id.Lauren Goode, Samsung's new Gear Fit 2 has GPS and a giant display, The Verge (June 2, 2016), http://www.theverge.com/2016/6/2/11822824/samsung-gear-fit-2-review-fitness-tracker-smartwatch-gps. Symantec, supra note 2 at 16.Id.

2

3

5

67

4

611 Anton Boulevard, Suite 1400 • Costa Mesa, CA 92626 • 714.641.5100

3000 El Camino Real, Suite 200, Building 5 • Palo Alto, CA 94306 • 650.320.1500

611 Anton Boulevard, Suite 1400 • Costa Mesa, CA 92626 • 714.641.5100

3000 El Camino Real, Suite 200, Building 5 • Palo Alto, CA 94306 • 650.320.1500

Kyle St. James(714) 338-1805kstjames@rutan.com

Is Your Website Privacy Policy Compliant

Terms of Use

It Appears The Law Is Trending Towards Providing Fewer Privacy Protections to Individuals

Cybersecurity Strategies for Small and Middle-Market Companies

15

8

9

10

11

12

Id.Id.Alexandra Gheorghe, The Internet of Things: Risks in the Connected Home, Bitdefender (February 2016), available at http://download.bitdefender.com/resources/files/News/CaseStudies/study/87/Bitdefender-2016-IoT-A4-en-EN-web.pdfId. at pp. 5-11.Id. at p. 7.Summary of the HIPAA Security Rule, U.S. Department of Health & Human Services, http://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/ (last visited June 13, 2016). Protected Health Information, U.S. Department of Health & Human Services, http://www.hhs.gov/hipaa/for-professionals/privacy/special-topics/de-identification/index.html#prote ctedInternet of things: Privacy & Security in a Connected World, FTC Staff Report, 49, (January 2015), available at https://www.ftc.gov/system/files/documents/reports/federal-trade-commission-staff-report-november-2013-workshop-entitled-internet-things-privacy/150127iotrpt.pdf

13

14

To see related articles listed below click here