We live surrounded by the Internet of Things, or more simply put, connected devices. They know what temperature to heat our rooms, what time we get out of bed and when we leave for work. From the time we wake up until the time we drift off to sleep, these 8+ billion connected devices are capturing, tracking, reporting and responding to massive amounts of information. As costs for storage and processing continue to decrease, companies can collect, analyze, share and act on an ever-growing dataset.

Companies are constantly seeking to collect and find value in information from these devices, such as wearable fitness trackers that record the location and activity of employees, biometric scanners, oil and gas pipeline leak detectors, and personal and commercial monitoring systems that control security and energy use, monitor vehicles, or promote worker health and safety. The data from all of these devices creates a double-edged sword with the potential to simultaneously create enormous benefits and legal headaches for companies and their legal counsel.

Data, and the connected devices allowing data collection, can be a significant corporate asset and liability. Companies are increasingly finding themselves, often unexpectedly, wholly immersed in managing cutting-edge data and the challenges that come with securing it from hackers (or partners) seeking to monetize it. In order to protect the company, counsel must have a good understanding of the technology as well as the applicable laws and regulations. Proactive steps are necessary since data-related decisions can impact millions of people simultaneously, and once a decision is made, it may be irreversible.

What risk to companies?

The IoT benefits employees and companies alike by making life more convenient, simplifying logistics, reducing costs, and increasing efficiencies and public safety. According to International Data Corp., more than 26.3 million wearable devices were purchased in 2017, and worldwide shipments of wearable devices are on track to grow 15.1 percent in 2018. Current projections are that the world will have more than 30 billion interconnected devices by 2020.

Privacy and data security issues arise from the interconnectivity of third-party IoT devices to company systems. It only takes one such device to compromise an entire company's network. In a recent attack on a North American casino, hackers exploited an internet-connected thermometer located in a lobby fish tank to penetrate the casino's network and steal information related to casino high-rollers. These data security risks can be compounded by employees' personal devices, which often lack effective encryption, privacy and security controls, leaving them susceptible to hacks by unauthorized parties who may gain access to a company's sensitive information or company network. Using data from exercise tracking devices, one company published an anonymized heat map. That led a security researcher in Australia to discover a number of otherwise unpublished military bases based on fitness trackers running circles in the middle of the desert.

IoT also has serious implications for litigation. There has been a paradigm shift from user-created data to user-generated data, with profound legal and data security implications; lawyers who understand how to leverage this data will have a tremendous advantage. Innovative IoT technology has generated new potentially relevant and discoverable evidence relating to activity, function, and even habits. Counsel needs to be conscious of technological advances in IoT devices for preservation and collection of evidence purposes.

How companies can minimize risk

To better understand the impact of corporate decisions around data and device handling, counsel should interact with their IT team to understand uses of connected devices and associated data in their company. Whether launching a new product, or buying, selling or trading data feeds for business intelligence or marketing purposes—counsel should carefully consider the data elements involved including sensitive data, retention of data, data accuracy, interconnectability with other systems, and relevant laws or regulations. Often IT is instructed by some other business unit to implement a tool or solution, and input from counsel is critical to establish risk awareness and guide the company between business opportunity and technological nightmare.

Once counsel understands the impact data security decisions may have, it is critical to make sure there are reasonable security controls over all segments of the connected devices' life cycle and provide the input necessary for security and legal defensibility. As some companies have discovered, not considering the full product life cycle can result in significant scrutiny from regulators. While it is likely impossible to avoid the Internet of Things, IoT security policies should be carefully coordinated with the IT teams and updated regularly to adapt to new technologies and evolve as risks and business practices change.

Counsel should focus on both preventing and planning to respond to a data security compromise. Implementing an IoT incident response plan to provide a structured process for information security incidents may help reduce legal exposure. This should include plans to report incidents, to deal with employee-introduced devices and to periodically re-assess the landscape since it is changing on a constant basis.

When a data breach happens, a company should follow the IoT incident response plan and react quickly to minimize litigation and regulatory exposure. In-house legal teams should ensure that there is a plan in place to extract and preserve relevant data to prepare for internal investigations or potential litigation. The company should immediately bring in skilled outside counsel to maximize privilege protections. A company will also need to evaluate its potential legal obligations, such as notifying regulators or consumers, and analyze any contractual obligations to provide notice to a customer, vendor, or its insurance company.

And just maybe, there are times when our data-tracking gadgets should take the night off.

Sheryl Falk is a partner and litigator in the Houston office of Winston & Strawn. She is co-leader of the firm's global privacy and data security task force. She counsels clients on privacy and data security issues, handles internal investigations and trade secret litigation, and applying her skills as a former federal prosecutor, helps clients mitigate risks arising from data breaches.

Serge Jorgensen is a founding partner with the Sylint Group and provides technical development and guidance in the areas of computer security, counter cyber-warfare, system design and incident response. Jorgensen works closely with multinational companies and governmental agencies in analysis and managing information security needs.