New FTC Report Sets Out Principles Likely to Influence Regulation of the “Internet of Things”

February 5, 2015

On January 27, 2015, the Federal Trade Commission ("FTC") released a report on the "Internet of Things" ("IoT"), which refers to everyday objects that are connected to the Internet and send and receive data.[1]  Examples of IoT devices include fitness bracelets that track a wearer’s physical activity and "smart" thermostats controlled by mobile phone.  The IoT includes virtually any Internet-enabled object–other than computers, smartphones, or tablets–and is a major area for future growth in the technology sector: experts estimate there will be 50 billion connected devices by 2020.[2]  The report’s release signals the increased attention this growing subsector of the technology industry is poised to receive from regulators and policymakers.  The report summarizes a November 2013 workshop hosted by the FTC on the IoT, outlines potential security and privacy risks associated with ubiquitous Internet-enabled devices, describes best practices for ensuring such devices are safe, and provides recommendations regarding new legislation.  This client alert summarizes the report and analyzes what the report may mean for IoT in the years ahead.

Risks Posed by the IoT

The report states that most new technology comes with risks, and IoT devices are no different.  According to the FTC, the two key risk areas are security and privacy.

In terms of security, according to the FTC, IoT devices can facilitate attacks on other shared systems or networks.[3]  Moreover, IoT devices can create personal safety risks unlike traditional Internet-connected devices.[4]  For example, if a hacker gains control over an IoT device used to lock a user’s front door that would pose a unique and direct personal security risk.

According to the FTC, the privacy risks associated with IoT devices are a direct result of the massive amounts of data these devices gather.[5]  The very personal nature of some of the data collected by these devices further intensifies the concern: for example, some IoT devices collect sensitive financial information, while others collect personal health information.  The FTC highlights in its report that such data may be accessed by unauthorized users, and misused by the companies authorized to use it for limited purposes.[6]

FTC Suggests Best Practices for Addressing These Risks

Data security

The FTC recommends companies take appropriate measures to ensure data security in their IoT products, including some or all of the following, depending on how much data is collected and how sensitive that data is.  First, companies should implement "security by design" by building security into their devices from the outset, at the earliest design phase.[7]  Second, companies should ensure that personnel practices promote good security, for example by ensuring product security is addressed by someone appropriately senior, and by training employees on good security practices.[8]  Third, companies should ensure that any service providers they retain are capable of properly securing information.[9]  Fourth, for systems with significant risk, companies should adopt a "defense in depth" approach, implementing security protections at several levels.[10]  Fifth, IoT devices should require strong authentication before interacting with other devices in order to prevent unauthorized persons or devices from accessing a consumer’s device, data, or network.[11]  Finally, companies should continue to monitor products throughout the life cycle and patch known vulnerabilities.[12]

Given the nearly weekly headlines throughout 2014 announcing significant data breaches, the FTC’s focus on data security is not surprising.  Indeed, data security will be an area of intense focus for the FTC in the coming years, including for IoT devices.  The best practices outlined above reflect the FTC’s often-repeated mantra regarding the need to integrate data security considerations thoughtfully, throughout the lifecycle of product development and support.

Data minimization

In the report, the FTC strongly emphasizes that companies should examine their data practices and adopt reasonable limits on collection and retention of consumer data.[13]  The FTC further advises that when companies decide they need to collect data for a business purpose (as opposed to a purpose integral to the operation or use of the device itself), the data should be maintained in de-identified form.[14]

The FTC’s emphasis on data minimization is notable because it has implications for IoT and beyond.  Data minimization applies to many industries, and this represents yet another strong signal from the FTC on the subject, suggesting that failure to properly minimize data may be viewed as increasingly relevant to the FTC’s analysis of the reasonableness of a company’s data security measures under the unfairness prong of Section 5 of the FTC Act.

Notice and choice

The FTC report indicates that traditional methods of providing consumers with disclosures and choices may need to be modified as businesses and technology evolve.[15]  For example, many IoT devices lack user interfaces capable of even displaying such information.  Nevertheless, the FTC in the report reaffirmed its commitment to the principles of notice and choice.  According to the FTC, notice and choice are particularly important in the IoT realm because of how much data is collected and the very personal nature of that data.[16]  However, the FTC recognizes that there is no single best approach for providing notice and choice, particularly given the wide range of products available now and in the future.[17]

Legislation

In its report, the FTC does not call for IoT-specific legislation, but rather views IoT devices through the same lens as other Internet activities.  The FTC recommends that Congress enact substantive data security and breach notification legislation that would require companies to, among other things, notify consumers when a breach has occurred.[18]  Such legislation likely would preempt much of the patchwork of differing state laws that currently exist, though some states that have been particularly active in regulating data security issues may balk at ceding authority in this area.  The FTC also calls on Congress to enact baseline federal privacy legislation.[19]  Neither of these proposed laws would be IoT-specific; rather, they reflect policy proposals the FTC has been advancing since well before its focus on, and report related to, IoT.

Conclusion

The FTC’s report demonstrates that IoT devices, and the data security and privacy issues they raise, are on the agency’s radar and likely to receive significant attention in the coming years.  The FTC’s approach to examining these devices does not break much new ground from a policy perspective.  The agency’s proposed best practices for addressing the risks posed by IoT devices all relate to the long-standing Fair Information Practice Principles, first articulated in 1973, which form the basis for many government and private sector initiatives on consumer privacy.[20]  Moreover, the FTC’s proposed legislative responses to the coming IoT wave constitutes a doubling down on the agency’s existing calls for broad data security and data privacy laws.  Thus, in addition to monitoring the FTC, we will closely watch Congress over the coming months for the prospect of legislation.


   [1]   Fed. Trade Comm’n, Internet of Things: Privacy & Security in a Connected World (January 2015), available at http://www.ftc.gov/news-events/press-releases/2015/01/ftc-report-internet-things-urges-companies-adopt-best-practices.

     [2]     Id. at i.

     [3]     Id. at 11.

     [4]     Id. at 12.

     [5]     Id. at 14.

     [6]     Id. at 14-18.

     [7]     Id. at 28.

     [8]     Id. at 29.

     [9]     Id. at 30.

   [10]     Id.

   [11]     Id. at 31.

   [12]     Id.

   [13]     Id. at 33-34.

   [14]     Id. at 37.

   [15]     Id. at 39.

   [16]     Id. at 39-40.

   [17]     Id. at 41.

   [18]     Id. at 49.

   [19]     Id. at 51.

   [20]     Id. at 19.

Gibson, Dunn & Crutcher LLP     

Gibson, Dunn & Crutcher’s lawyers are available to assist in addressing any questions you may have regarding these developments.  Please contact the Gibson Dunn lawyer with whom you usually work, or the authors of this alert:

Howard S. Hogan – Washington, D.C. (202-887-3640, hhogan@gibsondunn.com)
Alexander H. Southwell – New York (212-351-3981, asouthwell@gibsondunn.com)
Ryan T. Bergsieker – Denver (303-298-5774, rbergsieker@gibsondunn.com)
Eric D. Vandevelde – Los Angeles (213-229-7186, evandevelde@gibsondunn.com)

Please also feel free to contact the following practice group leaders and members:

Information Technology and Data Privacy Group:
M. Sean Royall – Dallas (214-698-3256, sroyall@gibsondunn.com)
Debra Wong Yang – Los Angeles (213-229-7472, dwongyang@gibsondunn.com)
Alexander H. Southwell – New York (212-351-3981, asouthwell@gibsondunn.com)
Karl G. Nelson – Dallas (214-698-3203, knelson@gibsondunn.com)
Joshua A. Jessen – Orange County/Palo Alto (949-451-4114/650-849-5375, jjessen@gibsondunn.com)
Michael Li-Ming WongSan Francisco/Palo Alto (415-393-8234/650-849-5393, mwong@gibsondunn.com)

Intellectual Property Group:
Josh Krevitt – New York (212-351-2490, jkrevitt@gibsondunn.com)
Wayne Barsky - Los Angeles (310-557-8183, wbarsky@gibsondunn.com)
Mark Reiter – Dallas (214-698-3360, mreiter@gibsondunn.com)

Media, Entertainment and Technology Group:
Ruth E. Fisher – Los Angeles (310-557-8057, rfisher@gibsondunn.com)
Scott A. Edelman – Los Angeles (310-557-8061, sedelman@gibsondunn.com)
Orin Snyder – New York (212-351-2400, osnyder@gibsondunn.com)

Fashion, Retail and Consumer Products Group:
Lois F. Herzeca – New York (212-351-2688, lherzeca@gibsondunn.com)
David M. Wilf  – New York (212-351-4027, dwilf@gibsondunn.com)
Howard S. Hogan – Washington, D.C. (202-887-3640, hhogan@gibsondunn.com)

© 2015 Gibson, Dunn & Crutcher LLP

Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.