You may not have heard the phrase “Internet of Things” until now, but you are no doubt familiar with many of the “things” that make up the “Internet of Things” (or “IoT” for short), and you probably have numerous IoT devices in your home or business, and perhaps even on your person right now. The IoT is a phrase that was coined way back in 1999 by a British tech entrepreneur but which has gained increased cultural relevance in just the past few years. The IoT refers to the numerous electronic devices that connect to data networks and collect and transmit information. While we think of connected devices as including laptops and other computers, tablets, and smartphones which we manually use to send information, the IoT encompasses a plethora of other devices that transmit information, often automatically: security cameras, baby monitors, health and fitness monitors, smart televisions, video streaming devices, smart watches, advanced thermostat and lighting systems and so on. Experts predict that, by the year 2020, there will be 50 billion devices connected to the IoT.
Data Security Risks Posed by the IoT
While the typical user of such IoT devices may not be overly concerned with the data security issues presented by a lighting system or a personal fitness device, cybercriminals are focusing their efforts on hacking into IoT devices to steal information and to use them for other malicious purposes. In the infamous “refrigerator spambot” case in early 2014, hackers gained access to a smart refrigerator to send spam email. During the two-week period in which the refrigerator spambot was discovered, the security firm conducting the study detected over 750,000 spam emails being sent from 100,000 compromised devices, including routers, televisions, and other appliances.
The data security threat posed by the IoT is not limited simply to commandeering devices for spam purposes. Cybercriminals can gain access to IoT devices in order to steal the information being collected and transmitted by the devices. Such sensitive data can of course include proprietary business data and financial records, but, given the type of data collected by IoT devices, hackers can also use such devices to “eavesdrop” on users by accessing security cameras, baby monitors, and microphones. Devices that transmit medical information, whether for medical treatment purposes as with a hospital device or personal fitness information as with a heart rate monitor, can also be hacked in order to retrieve such private health information. And devices can simply be operated remotely by an unauthorized user who can maliciously turn off security cameras, unlock access doors and gates, and disable alarm systems, in order to facilitate thefts and other crimes.
Legal Risks of IoT Security Breaches
The data security threats posed by the IoT present a number of legal risks that your business and household need to be aware of and address. Clearly, the officers and managers of a business have a duty towards the owners, clients, and other third parties associated with that business to protect the information entrusted to and/or maintained by the business, and may face not only lower profits but litigation and regulatory risk by failing to take adequate safeguards against hacking of IoT devices.
The Federal Trade Commission has made clear for several years that it will take decisive action against companies who fail to take proper actions to protect consumer online privacy, and released a lengthy report in January 2015 calling for increased security in connection with the IoT. The FBI also released a warning related to IoT data security issues in September 2015, and so it is clear at this point that businesses cannot plead ignorance when data is compromised through IoT-related attacks. Outside of government enforcement concerns, class actions related to IoT privacy hacks have surged in recent years against the companies who have fallen victim to such hacks.
For more information on strategies for you and your business to avoid data security breaches associated with IoT devices and respond to breaches that may have already occurred, contact the data security attorneys at McCuneWright at 909.557.1250.