While hundreds of tech companies are racing to develop the newest in Internet-connected “smart” devices, Federal Trade Commission (“FTC”) Chairwoman Edith Ramirez is sending a reminder to those companies of their responsibilities to consumers. At the 2015 Consumer Electronics Show held in Las Vegas, January 6-9, Chairwoman Ramirez highlighted some best practices to address the vast array of consumer privacy risks posed by the “Internet of Things.”
The “Internet of Things” refers to the growing ability of everyday devices to monitor and communicate information through the Internet. For example, mobile phones are used for far more purposes than originally intended by Mr. Alexander Graham Bell. They have become integral to our daily lives: waking us up in the morning, feeding us the news on our commute to work, and tracking our sleep patterns at night via Bluetooth technology.
However, with the widespread use of innovative “smart” technology comes a swath of potential privacy concerns for consumers and companies alike. In her speech, Chairwoman Ramirez warned that the data collected from these “smart” devices “will present a deeply personal and startlingly complete picture of each of us—one that includes details about our financial circumstances, our health, our religious preferences, and our family and friends.” In response to the risk of potential misappropriation of consumer data, the FTC is calling for companies to mitigate privacy risks and embrace principles of “security by design” and “data minimization,” where companies only collect requisite information for a specified purpose and then safely and immediately dispose of it afterwards. More specifically, Ramirez stated, “companies should: (1) conduct a privacy or security risk assessment as part of the design process; (2) test security measures before products launch; (3) use smart defaults – such as requiring consumers to change default passwords in the set-up process; (4) consider encryption, particularly for the storage and transmission of sensitive information, such as health data; and (5) monitor products throughout their life cycle and, to the extent possible, patch known vulnerabilities.” In addition, Ramirez suggested companies should implement technical and administrative measures to ensure reasonable security, “including designating people responsible for security in the organization, conducting security training for employees, and taking steps to ensure service providers protect consumer data.”
Though this isn’t the first time the FTC has taken a firm stance on “The Internet of Things,” it acts as an important reminder looking into the New Year. In November 2013, the FTC convened a public workshop in D.C. on the “Internet of Things” to study privacy and security concerns related to the industry, and then held a comment period lasting until January 2014. Then, in September 2013, the FTC brought its first enforcement action in this area, a case we previously covered on our blog. The agency is projected to issue a report with findings and recommendations sometime this year. We will be monitoring the FTC’s movement closely in this area.