Ideas and suggestions are always welcome. Please let us know how we can improve your newsletter! We welcome your feedback.
LexisNexis® for Corporate Counsel
LexisNexis® Webinar Center
LexisNexis® Legal Newsroom
Live CLE Webinars | OnDemand Webinars
By Kristin Casler, featuring Ryan T. Bergsieker of Gibson, Dunn & Crutcher; Karen Jagielski, senior attorney, FTC, Division of Privacy and Identity Protection; Leon Silver of Gordon & Rees; and Rob van Kranenburg, author of The Internet of Things
Many organizations already have a fleet of smart vehicles, operate smart factories or office buildings and conduct business around the world with unprecedented ease and efficiency. But the data exchange that is starting to make reality resemble The Jetsons comes with risks that experts say may unplug data privacy forever. As your organization takes advantage of technology, it is important to understand the risks.
The Internet of Things (IoT) refers to devices that are connected to each other via a network that allows them to communicate, gather and analyze data and even accomplish tasks. You may already know about devices that let you turn on your house lights and adjust the temperature during your ride home. And you’ve likely used the technology to find the nearest Starbucks. But the world is also seeing rapid growth of smart farms, hotels, manufacturing facilities and many more smart devices. Some people even believe that IoT developments will one day solve world hunger, said Leon B. Silver, Retail & Hospitality practice group leader at Gordon & Rees. But to do any of this requires collecting and using data.
“Personal data has been called ‘the new oil of the Internet and the new currency of the digital world,’”Silver said. “It now stands on par with people, technology and capital as a core business asset. Data is becoming the single most valuable asset a company has.”
The influx of data and connectivity is resulting in smarter and safer products, smarter and more efficient business operations and smarter decisions, Silver said. It already is changing company business models. For example, John Deere has sold tractors for decades. But data connectivity on tractors now lets farmers know which crops to plant, when and where to plow, and even what route to take in plowing. “They are now in as much a business of collecting and analyzing data for their customers as they are in selling tractors,”Silver said.
Today, 4.9 billion things are “connected.”Cisco Systems estimates that the number will shoot to 50 billion by 2020. A Federal Trade Commission report found there is one data point every six seconds for every household.
All of this data usage raises concerns about how it is used and by whom. The unintended consequences of the technological convenience are that others (ex-spouses, stalkers, employers) can track your whereabouts, or that robbers can hack in and determine whether you are home. Insurers can use health monitoring to raise your rates and employers can see what you are doing in your off hours. Silver predicted it won’t be long before employers will mandate insertion of microchips under workers’ skin for security, tracking and making equipment work (some people are already voluntarily doing this).
Government regulators and law enforcement work hard to make sure people are as protected as possible. But all of the regulation is a little perplexing, said Rob van Kranenburg, author of The Internet of Things, given that the whole idea of the IoT is the seamless exchange of information. “It’s not as if there are bugs in the system,”he said. “The system is the bug.”
One cannot view things from an analog perspective any more, Kranenburg said. There is no longer just a subject and an object. There will always be some kind of third party—and it’s data. “We need to rethink what legality is and find out what the new notions of fairness are in this new world.”
He was a bit surprised at U.S. regulatory efforts and expectations of privacy. “How can you still have this notion of privacy when you can be identified by what you wear and carry?”Going back to the 1800s when everything was private is untenable, Kranenburg said. It also runs contrary to U.S. industry practices of developing more and more data-centric technology.
Kranenburg noted that the Dutch government and many others are investing in quantum computing. Whoever gets there first will break all encryption and all notions of security as it currently exists.
But the current system does exist, and companies need to protect data and themselves. “Cisco blocks 19.6 billion threats a day,”Silver said. “That’s more than the number of Google™ searches. Staying one step ahead of the black hats is a very difficult thing to do.”
In fact, as media accounts can attest, things often go wrong. Most organizations have either been hacked—whether they know it or not—or will be hacked. “If you put enough hackers together and give them enough time and enough tools, they will probe and probe until they find vulnerabilities in any company,”said Ryan T. Bergsieker, of counsel at Gibson, Dunn & Crutcher. He helps companies prepare for the almost-inevitability of a hack and trains them how to respond.
Organizations typically see three legal proceedings stemming from an attack—law enforcement investigations of the hacker, regulatory investigations of the company and civil actions brought on behalf of consumers or shareholders. Handling each is different, and organizations must balance their responses.
In the case of law enforcement, companies can have routine contacts that help develop a relationship and trust. Companies can keep up with potential threats and have a familiar resource when a hack occurs, Bergsieker said. However, he cautioned entities to be very careful that information shared is first vetted with legal counsel, because there is an argument that these communications are not privileged and may be discoverable in other actions.
One of the Federal Trade Commission’s missions is to protect consumers. It could come after a company that fails to take reasonable security measures or misrepresents those measures, regardless of whether there is a data breach, said Karen Jagielski, senior attorney, FTC, Division of Privacy and Identity Protection. Of course, a breach in and of itself does not mean that you failed to have reasonable security measures, she said.
She said common mistakes organizations make include: storing information longer than needed; using default or easy-to-guess passwords; storing or transmitting information, including passwords, in plain text; failing to segment data so one side of a system can’t talk to the other; lack of employee training and oversight; and failing to take reasonable steps to detect or investigate breaches.
Common privacy failures occur when an entity rolls out a new service or feature that increases sharing without the user’s consent or notice or misrepresents who the data is shared with; in tracking and opting-out features; in what and how data is collected; and in deletion of information, Jagielski said.
She cited a case in which a company represented that its cameras were secure, yet hackers accessed them and viewed personal activities.
Jagielski suggested some dos and don’ts for organizations to consider:
Start with the security. When creating a new product or system, don’t wait until the end to build it in.
Don’t collect information you don’t need and don’t hold it longer than necessary. One retailer used credit and debit card numbers for transactions, then held them for 30 days. They could be stolen and used to make counterfeit cards. Another company used actual personal data in employee training and then left the information on the computers.
Don’t use personal information you don’t need.
Restrict access to data and administrative access. Employees don’t need to be able to do everything on a computer system. One company failed to restrict access, and a group of employees transferred more than 7,000 consumer files to a third party.
Require secure passwords and authentication. Passwords should be complex, unique and a combination of symbols, numbers and letters. Store them securely. And make sure there is no way around authentication.
Segment your network. Limit access between computers and between computers and your network. And monitor the system using tools that scan for malicious activity.
Ensure endpoint security. In one instance, a company activated a remote login for a client without first assessing that business’ security. Hackers obtained the remote login and accessed consumer information.
Train employees in security.
Follow platform guidelines for security.
Verify that privacy and security features work.
Regularly assess for well-known vulnerabilities.
Make sure service providers implement reasonable security measures. Insist security standards are part of the contract and verify compliance. “You can’t just assume that your service provider is going to responsibly do everything they need to,”Jagielski added.
Update and patch third-party software.
Have a process for receiving and addressing alerts. One company received a vulnerability alert from a researcher. It was logged as a customer password reset. An auto-reset email went out, and the issue was tagged as resolved.
Protect devices. Laptops and phones locked in cars are often stolen.
Shred documents and hard drives.
With so many issues and so much at risk, how did The Jetsons do it?
This article is based on a complimentary LexisNexis® Webinar from October 2015 moderated by Jake Hirsch-Allen of LinkedIn®.