IoT Raises New Legal Challenges For Business - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Data Management // IoT
09:06 AM
Connect Directly

IoT Raises New Legal Challenges For Business

Privacy, security, and data ownership issues surrounding Internet of Things devices are creating a host of new legal questions and problems. Here's what's happening now, and what you need to know.

Twitter's Top Data Science, Analytics, And BI Feeds
Twitter's Top Data Science, Analytics, And BI Feeds
(Click image for larger view and slideshow.)

Drones, wearables, the Internet of Everything: As more and more data about individuals and businesses is collected and combined, new waves of litigation and lawmaking will follow.

Internet of Things (IoT) devices represent potential points of security failures, and the data they generate or collect is raising new privacy concerns. In addition, since the IoT involves an entire value chain of hardware, software, and services, data ownership issues may arise among different parties, including the device manufacturers, software providers, service providers, end users, and others.

"As of today, information collected via devices generally can be used for almost any purpose, which is pretty scary as a consumer. It's also scary for businesses, because there are a wide variety of instances where issues can arise," said James Goodnow, a partner at law firm Lamber Goodnow, in an interview.

For example, some businesses are encouraging employees to use Fitbits or other health wearables. Those companies are often focused on the positive aspects of device use, such as wellness (which can potentially reduce the healthcare premiums they pay and reduce the number of sick days employees use). However, the same organizations may not have considered the potential risks of embracing such devices.

(Image: jeffrrb via Pixabay)

(Image: jeffrrb via Pixabay)

"Right now, it's probably not a good idea for employers to collect that information, because the laws are unclear and you may be setting yourself up for problems," said Goodnow. "If you're collecting health information and it's decided the person needs to be terminated, you've exposed your company to liability. The information you've collected may show a disability by tracking heart rate or activity or that someone isn't as healthy as they should be."

If it is determined that the employee is a member of a protected class, as defined by the Americans with Disabilities Act (ADA), then unlawful discrimination allegations may arise. So, before being seduced by the potential benefits of IoT devices, make sure you also understand the potential risks.

More Data, Less Privacy

There is no shortage of gadgets generating and collecting data. In fact, Gartner estimates that 6.4 billion "things" will be used worldwide in 2016. In the rush to introduce the latest and greatest devices, manufacturers may not have adequately contemplated privacy and security issues.

For example, VTech is being sued in Illinois for fraud and deceptive business practices, breach of contract, breach of good faith and fair dealing, breach of implied warranty, and negligence. Its product was allegedly vulnerable to a SQL injection attack that allowed hackers to steal the personal information of 2.8 million parents and children.

New classes of devices, including wearables and drones, are collecting information that may not have been available previously, or may not have been cost-effective to procure, particularly in a persistent way, in the past.

"Consumers are going to be providing information to products in a new way that companies have not thought of. Those companies may not have thought about privacy the same way an Internet-facing line of business in the same organization would," said Nicholas Merker, co-chair of the data security and privacy practice at law firm Ice Miller, in an interview. "If you've never captured information in your product and you want to start now, you're going to have some of the problems folks had in the Internet era when they started doing the same thing."

[ Are privacy concerns causing consumers to shy away from new devices? See Mobile, IoT Sales Hampered By Security Fears: Accenture. ]

Disclosure -- explaining how the information generated or collected by the device will be used -- is another consideration device manufacturers and their customers may be overlooking.

"Disclosures are about what [the product] is and how to use it, and not focused on how data is used and how it's collected," said Paul Bond, co-leader of the information technology, privacy, and data security group at law firm Reed Smith, in an interview. "That's especially true for devices that have no keyboard or interface, so the thought is, it's not collecting [personally identifiable information]."

Further, the data generated or gathered by IoT devices may be demanded in a lawsuit as part of "any electronically stored information," which is why companies should consider whether they want to store such information in the first place -- and if so, what the potential risks might be.

"If you're forking information over about your employees, you're going to have some pretty unhappy employees and potentially more liability arising from that," said Goodnow.

And, of course, IoT devices are a new playground for hackers -- cars, medical devices, and even guns are potentially vulnerable. In some cases, those devices may be used as a way of infecting other connected systems, which means companies may find themselves liable for issues they didn't even anticipate.

For its 2015 IT Risk/Reward Barometer, nonprofit IT industry association ISACA surveyed 7,016 of its members in 140 countries in August and September 2015. The vast majority of IT professionals polled (77%) said that the IoT has benefited their company. However, 73% do not believe IT industry security standards sufficiently address the risks. Further, 49% of respondents said they do not believe their IT department is even aware of all the connected devices in their organization. Those are the kinds of vulnerabilities that can expose companies to potential liability.

Data Ownership Rights May Arise

Individuals like to think they own their own data, but in the US, consumers and business users are freely trading it for the privilege of using a product or service. Contracts, including end-user license agreements (EULAs), define who owns the data -- which is another reason not to mindlessly rip open a package or click on an "I agree" button.

And, because IoT devices operate as part of an ecosystem, and many of the devices are being designed to communicate with each other, data ownership can become a very real issue. In fact, even farmers are being advised to understand data ownership issues before negotiating contracts with drone manufacturers.

Is your organization encouraging employee use of IoT devices? Would you want to work for a company that asks employees to wear Fitbits or other health trackers? Is your company aware of the  legal issues involved in collecting personally identifiable information from employees or customers? Tell us all about it in the comments section below.

Lisa Morgan is a freelance writer who covers big data and BI for InformationWeek. She has contributed articles, reports, and other types of content to various publications and sites ranging from SD Times to the Economist Intelligent Unit. Frequent areas of coverage include ... View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
1 of 2
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Author
1/22/2016 | 6:57:31 PM
Use and transparency

Many employers are already using wearables to track workplace behavior in factories and assembly jobs. White collar workers can also be tracked through RFID technology in their ID cards. Wearables are certainly here to stay the issue is assuring that employees understand how the data is being used and how it impacts the employees. Many employees are not aware that their ID may be used to impact their career.

User Rank: Author
1/19/2016 | 3:11:55 PM
Re: I see no legal problems at all, as long as IoT would be a part of all unstructured data!
@Lisa I believe there are legal issues that will have to be tackled. For now, generally, they try to skirt invasions of privacy concerns by making things like having employees share their FitBit data opt in.
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

10 Things Your Artificial Intelligence Initiative Needs to Succeed
Lisa Morgan, Freelance Writer,  4/20/2021
Tech Spending Climbs as Digital Business Initiatives Grow
Jessica Davis, Senior Editor, Enterprise Apps,  4/22/2021
Optimizing the CIO and CFO Relationship
Mary E. Shacklett, Mary E. Shacklett,  4/13/2021
White Papers
Register for InformationWeek Newsletters
2021 State of ITOps and SecOps Report
2021 State of ITOps and SecOps Report
This new report from InformationWeek explores what we've learned over the past year, critical trends around ITOps and SecOps, and where leaders are focusing their time and efforts to support a growing digital economy. Download it today!
Current Issue
Planning Your Digital Transformation Roadmap
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
Flash Poll