What Legal Risks Are Posed by the Internet of Things?
We live surrounded by the Internet of Things, or more simply put, connected devices. They know what temperature to heat our rooms, what time we get out…
June 29, 2018 at 01:25 PM
6 minute read
We live surrounded by the Internet of Things, or more simply put, connected devices. They know what temperature to heat our rooms, what time we get out of bed and when we leave for work. From the time we wake up until the time we drift off to sleep, these 8+ billion connected devices are capturing, tracking, reporting and responding to massive amounts of information. As costs for storage and processing continue to decrease, companies can collect, analyze, share and act on an ever-growing dataset.
Companies are constantly seeking to collect and find value in information from these devices, such as wearable fitness trackers that record the location and activity of employees, biometric scanners, oil and gas pipeline leak detectors, and personal and commercial monitoring systems that control security and energy use, monitor vehicles, or promote worker health and safety. The data from all of these devices creates a double-edged sword with the potential to simultaneously create enormous benefits and legal headaches for companies and their legal counsel.
Data, and the connected devices allowing data collection, can be a significant corporate asset and liability. Companies are increasingly finding themselves, often unexpectedly, wholly immersed in managing cutting-edge data and the challenges that come with securing it from hackers (or partners) seeking to monetize it. In order to protect the company, counsel must have a good understanding of the technology as well as the applicable laws and regulations. Proactive steps are necessary since data-related decisions can impact millions of people simultaneously, and once a decision is made, it may be irreversible.
What risk to companies?
The IoT benefits employees and companies alike by making life more convenient, simplifying logistics, reducing costs, and increasing efficiencies and public safety. According to International Data Corp., more than 26.3 million wearable devices were purchased in 2017, and worldwide shipments of wearable devices are on track to grow 15.1 percent in 2018. Current projections are that the world will have more than 30 billion interconnected devices by 2020.
Privacy and data security issues arise from the interconnectivity of third-party IoT devices to company systems. It only takes one such device to compromise an entire company's network. In a recent attack on a North American casino, hackers exploited an internet-connected thermometer located in a lobby fish tank to penetrate the casino's network and steal information related to casino high-rollers. These data security risks can be compounded by employees' personal devices, which often lack effective encryption, privacy and security controls, leaving them susceptible to hacks by unauthorized parties who may gain access to a company's sensitive information or company network. Using data from exercise tracking devices, one company published an anonymized heat map. That led a security researcher in Australia to discover a number of otherwise unpublished military bases based on fitness trackers running circles in the middle of the desert.
IoT also has serious implications for litigation. There has been a paradigm shift from user-created data to user-generated data, with profound legal and data security implications; lawyers who understand how to leverage this data will have a tremendous advantage. Innovative IoT technology has generated new potentially relevant and discoverable evidence relating to activity, function, and even habits. Counsel needs to be conscious of technological advances in IoT devices for preservation and collection of evidence purposes.
How companies can minimize risk
To better understand the impact of corporate decisions around data and device handling, counsel should interact with their IT team to understand uses of connected devices and associated data in their company. Whether launching a new product, or buying, selling or trading data feeds for business intelligence or marketing purposes—counsel should carefully consider the data elements involved including sensitive data, retention of data, data accuracy, interconnectability with other systems, and relevant laws or regulations. Often IT is instructed by some other business unit to implement a tool or solution, and input from counsel is critical to establish risk awareness and guide the company between business opportunity and technological nightmare.
Once counsel understands the impact data security decisions may have, it is critical to make sure there are reasonable security controls over all segments of the connected devices' life cycle and provide the input necessary for security and legal defensibility. As some companies have discovered, not considering the full product life cycle can result in significant scrutiny from regulators. While it is likely impossible to avoid the Internet of Things, IoT security policies should be carefully coordinated with the IT teams and updated regularly to adapt to new technologies and evolve as risks and business practices change.
Counsel should focus on both preventing and planning to respond to a data security compromise. Implementing an IoT incident response plan to provide a structured process for information security incidents may help reduce legal exposure. This should include plans to report incidents, to deal with employee-introduced devices and to periodically re-assess the landscape since it is changing on a constant basis.
When a data breach happens, a company should follow the IoT incident response plan and react quickly to minimize litigation and regulatory exposure. In-house legal teams should ensure that there is a plan in place to extract and preserve relevant data to prepare for internal investigations or potential litigation. The company should immediately bring in skilled outside counsel to maximize privilege protections. A company will also need to evaluate its potential legal obligations, such as notifying regulators or consumers, and analyze any contractual obligations to provide notice to a customer, vendor, or its insurance company.
And just maybe, there are times when our data-tracking gadgets should take the night off.
Sheryl Falk is a partner and litigator in the Houston office of Winston & Strawn. She is co-leader of the firm's global privacy and data security task force. She counsels clients on privacy and data security issues, handles internal investigations and trade secret litigation, and applying her skills as a former federal prosecutor, helps clients mitigate risks arising from data breaches.
Serge Jorgensen is a founding partner with the Sylint Group and provides technical development and guidance in the areas of computer security, counter cyber-warfare, system design and incident response. Jorgensen works closely with multinational companies and governmental agencies in analysis and managing information security needs.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllAG in Texas Is Nation's First to Bring Gen AI Enforcement Action in Health Care
5 minute readLaw Firm Innovation: How BakerHostetler Launched FinClar, a Lawyer-Built FinTech Tool
8 minute readTrending Stories
- 1The Growing PFAS Morass: Why Insurance Should Cover These Products Liability Claims
- 2Dallas Jury Awards $98.65M in Botham Jean Killing by Dallas Officer
- 3In Talc Bankruptcy, Andy Birchfield Skipped His Deposition. Could He Face Sanctions?
- 4Pharmaceutical Patents: Benefits and Challenges
- 5Where Do Web-Tracking Class Actions Belong? 8th Circuit Weighs the Issue
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250