New Considerations for Old Data Security Wrinkles
As the Internet of Things expands, the FTC issues recommendations on how to keep consumers safe from data breach.
As the volume of information about absolutely everything we do becomes increasingly large, and as the number of data security breaches continues to climb, enterprise consumers of telecommunications services have become increasingly vigilant about staying current on the latest and greatest techniques for managing potential intrusion. We're all familiar with horror stories of the recent major data breaches that have hit the headlines in a big way. Target and Anthem come to mind immediately, but there are legions of others. Now consider the fact that these major corporations use relatively state-of-the-art detection and monitoring systems, and even they've been infiltrated with malware.
Now consider the router you use at home or in a less high-profile part of the business. How old is it? It is likely running software that is, in most cases, at least several years old. So based on the age and sophistication of all of existing network components, the information stored on or traveling over the network is not just vulnerable to the type of threats that have affected the big boys, but to threats that are years old and correspondingly much less sophisticated than those currently making the rounds. Think of the adage "a chain is only as strong as its weakest link."
Spurred to Action
Aware of these obvious vulnerabilities made all the more acute by the explosion of the Internet of Things (IoT), the Federal Trade Commission has taken action. (Its report, released in January, can be found here.
FTC Chair Edith Ramirez, whom I heard speak in the past month, is compelled by the fact that the privacy and security concerns created by the IoT's rise has the potential to undermine consumer confidence in a significant way. "The only way for the Internet of Things to reach its full potential for innovation is with the trust of American consumers," she said recently. She said she believes technology innovation is only a good thing if consumers are confident that they won't be the next victims of a high-profile breach. If this heretofore private information is readily accessible to the immediate world, and what was thought to be private is now public, consumers have good reason to be alarmed in general and distrustful of the companies that manufacture, distribute, and sell such products.
In its report, the FTC made several important suggestions to mitigate consumers' concerns. First, the FTC encourages manufacturers to ensure that security is built into devices as they're made, rather than after they're already on the market. Secondly, the agency suggests that all employees be instructed on the importance of information security, and that security issues have a sufficiently high profile within the manufacturing/selling organization to keep them front and center at all times. Although there are other suggestions, the last uber-critical one is that devices be monitored throughout their anticipated life cycle (think home routers) such that security updates and patches are provided at all times to cover known and newly discovered risks regardless of device age.
In addition, the FTC suggests that companies in this space consider "data minimization," the practice of limiting the collection and retention of consumer data for a set period of time only, and never indefinitely. According to the FTC, data minimization has two goals with respect to privacy: First, accepting the risk that a company with a large store of consumer data is "a more enticing target" for data thieves or hackers based upon the volume of data that it has, and secondly, an acknowledgment that "available consumer data will be used in ways contrary to consumers' expectations." Finally, the FTC strongly suggests companies selling IoT items to consumers educate them about their reasonable expectations of what information is being collected and stored, and for what period of time.
As Jahangir Mohammed, chairman of the Silicon Valley-based tech company Jasper, said in a recent interview, "The real power of the Internet of Things is that it transforms a static product into a dynamic service. Once a thing is connected, it really becomes unlimited in terms of what it can process, because it can borrow from all the computers in the Internet to do the processing and it has real-time access to all the information in the Internet. It's no longer an isolated thing. It's become part of a fabric of everything connected. It's a part of a much larger fabric. It's a service. This is the real power of the Internet of Things."
The information that's generated by the IoT is no doubt powerful. But with great power comes great responsibility -- on the parts of the manufacturer, distributor, retail outlet and, ultimately, consumer. Privacy and security experts encourage consumers, in the strongest possible terms, to consider the risks and consequences before sharing seemingly harmless information with the immediate world. I couldn't agree more.