FTC Releases Staff Report and Security Guide on Internet of Things

Internet of Things logoFTC Releases Staff Report and Security Guide on Internet of Things

Last November, the FTC held a workshop on the The Internet of Things.  This week the FTC has released a detailed staff report of its findings.

  • Security was one of the main topics addressed at the workshop and in the comments, particularly due to the highly networked nature of the devices. The report includes the following recommendations for companies developing Internet of Things devices:
    • build security into devices at the outset, rather than as an afterthought in the design process;
    • train employees about the importance of security, and ensure that security is managed at an appropriate level in the organization;
    • ensure that when outside service providers are hired, that those providers are capable of maintaining reasonable security, and provide reasonable oversight of the providers;
    • when a security risk is identified, consider a “defense-in-depth” strategy whereby multiple layers of security may be used to defend against a particular risk;
    • consider measures to keep unauthorized users from accessing a consumer’s device, data, or personal information stored on the network;
    • monitor connected devices throughout their expected life cycle, and where feasible, provide security patches to cover known risks.
  • Commission staff also recommend that companies consider data minimization – that is, limitingthe collection of consumer data, and retaining that information only for a set period of time, and not indefinitely. The report notes that data minimization addresses two key privacy risks: first, the risk that a company with a large store of consumer data will become a more enticing target for data thieves or hackers, and second, that consumer datawill be used in ways contrary to consumers’ expectations.The report takes a flexible approach to data minimization.  Under the recommendations, companies can choose to collect no data, data limited to the categories required to provide the service offered by the device, less sensitive data; or choose to de-identify the data collected.
  • FTC staff also recommends that companies notify consumers and give them choices about how their information will be used, particularly when the data collection is beyond consumers’ reasonable expectations. It acknowledges that there is no one-size-fits-all approach to how that notice must be given to consumers, particularly since some Internet of Things devices may have no consumer interface.  FTC staff identifies several innovative ways that companies could provide notice and choice to consumers.
  • Regarding legislation, staff concurs with many stakeholders that any Internet of Things-specific legislation would be premature at this point in time given the rapidly evolving nature of the technology. The report, however, reiterates the Commission’s repeated call for strong data security and breach notification legislation. Staff also reiterates the Commission’s call from its 2012 Privacy Report for broad-based privacy legislation that is both flexible and technology-neutral, though CommissionerOhlhausen did not concur in this portion of the report.The FTC has a range of tools currently available to protect American consumers’ privacy related to the Internet of Things, including enforcement actions under laws such as the FTC Act, the Fair Credit Reporting Act, the Children’s Online Privacy Protection Act; developing consumer education and business guidance; participation in multi-stakeholder efforts; and advocacy to other agencies at the federal, state and local level.

“The only way for the Internet of Things to reach its full potential for innovation is with the trust of American consumers,” said FTC Chairwoman Edith Ramirez. “We believe that by adopting the best practices we’ve laid out, businesses will be better able to provide consumers the protections they want and allow the benefits of the Internet of Things to be fully realized.”

In addition to the report, the FTC also released a new publication for businesses containing advice about how to build security into products connected to the Internet of Things. “Careful Connections: Building Security in the Internet of Things” encourages companies to implement a risk-based approach and take advantage of best practices developed by security experts, such as using strong encryption and proper authentication.

The Commission vote to issue the staff report was 4-1, with Commissioner Wright voting no. Commissioner Ohlhausen issued a concurring statement, and Commissioner Wright issued a dissenting statement.

Commissioner Wright’s dissent explained:

I dissent from the Commission’s decision to authorize the publication of staff’s report on
its Internet of Things workshop (“Workshop Report”) because the Workshop Report includes a
lengthy discussion of industry best practices and recommendations for broad-based privacy
legislation without analytical support to establish the likelihood that those practices and
recommendations, if adopted, would improve consumer welfare. This approach differs from the normal approach to a workshop report, which is to synthesize the record developed during the proceedings, and not to make broad policy recommendations

Where do we go from here?  The Report describes four ongoing initiatives:

  • Law enforcement:  The FTC enforces – among other statutes – the FTC Act, the Fair Credit Reporting Act, COPPA, and the health breach notification provisions of the HI-TECH Act. When it’s appropriate, the staff will recommend that the Commission take action when there’s reason to believe the law is being violated.
  • Consumer and business education.  We’re continuing our effort to provide advice for businesses with the publication of Careful Connections: Building Security in the Internet of Things.  And there will be more where that came from both for companies and for consumers.
  • Participation in multi-stakeholder groups.  We’re already working with groups considering guidelines and best practices – and those efforts will continue.
  • Advocacy.  We’ll look for opportunities to share our perspectives with other government agencies, state legislatures, and courts to promote protections in this area.