Strategies for addressing the legal risks of IoT implementation

The internet of things has transformed organizations across all sectors. Back in January 2016, analysts from Tech Pro Research surveyed almost 200 information technology professionals from businesses with established IoT workflows and found that 68 percent had seen demonstrable return on investment, including better data-backed decision-making, more accurate production forecasting and increased sales.

Of course, these results were achieved through the use of early enterprise IoT technology, suggesting that modern companies could realize more significant returns should they embrace the numerous fine-tuned mobility offerings on the market. However, survey respondents also pinpointed one of the primary pain points that accompanies IoT adoption: increased environmental complexity, something more than one-third of participants attested to experiencing. 

Connected enterprise devices do indeed complicate matters from an operational standpoint. This increased complexity can not only lead to everyday productivity problems but also leave businesses vulnerable legally. How? The average smartphone user accesses mobile applications 89 times per day, according to research from Fierce Wireless. During these numerous sessions, huge amounts of data are generated. From personal information to customer and company insights, IoT users are continually creating and transmitting sensitive data of all kinds. This creates business risk, as the organizations that provide enterprise hardware and software are responsible for protecting the information flowing through these fixtures.

When digital defenses fall apart and data breaches occur, the legal repercussions can be disastrous. In addition to paying the more than $3.6 million in mitigation costs that, according to IBM and Ponemon Institute, accompany every breach, organizations may find themselves dealing with considerable legal fees while weathering massive losses related to customer attrition. 

With this unsavory outcome in mind, modern enterprises considering IoT implementation and those with existing mobile assets must ensure they account for the potentially terrible legal backlash that could result from program mismanagement.

An unregulated environment
Despite the prevalence of IoT technology in both the commercial and enterprise spaces, there are no standardized data security benchmarks. Instead, technology vendors work with product testers and cybersecurity firms to vet their products without input from government agencies and other public institutions, SC Magazine reported. In recent years, vendors have begun working with the Underwriters Laboratories, an independent consulting and safety solutions, which maintains its own data security standards developed in collaboration with information technology experts.

However, these private industry solutions have largely failed, as 48 percent of IoT adopters have experienced data loss of some kind, according to researchers at the consulting firm Altman, Vilandrie and Company. As more IoT devices gain service and hackers perfect their infiltration techniques more of this activity is expected to occur.

"IoT attacks expose companies to the loss of data and services and can render connected devices dangerous to customers, employees and the public at large," Stefan Bewley, director of Altman, Vliandrie and Company explained. "The potential vulnerabilities for firms of all sizes will continue to grow as more devices become internet dependent."

Insecure IoT technology can create legal liability.
Insecure IoT technology can create legal liability.

Addressing security negligence through the judicial system
With IoT-related data breaches becoming more common, government regulators are attempting to crack down on enterprise security negligence via the judicial system. The most visible example of this push came in January 2017 when the Federal Trade Commission sued connected hardware maker D-Link, ZDNet reported. In suit filed in District Court of San Francisco, the FTC alleged that the company had compromised the privacy of thousands of users by falling to properly secure its IP cameras and routers.

The FTC was unable to provide proof of data breach activity related to the products mentioned in the lawsuit, according to the Consumerist. Nevertheless, the action did highlight the potential legal problems that come along with enterprise IoT use, while revealing the willingness of state and federal bodies to protect consumers, ZDNet reported.

"It is more likely that the FTC and other federal regulators will continue to try and fill the gaps using their authority under existing laws," data security law expert Jeremy Goldman told the publication. "States have become increasingly active in the data security space, both in terms of cyber-policing by state [prosecutors] as well as state legislatures passing new cyber security laws."

There are indeed numerous laws on the books that can be deployed against businesses that fail to properly protect or use their IoT infrastructure. Governments in Western Europe are particularly effective when it comes to encouraging data security best practices through strategic deployment of the legal system, ComputerWeekly reported. The rise of IoT has increased such activity, with governmental prosecutors using criminal liability laws to keep firms with IoT-based workflows in check. The U.K.'s Data Protection Act gives British legislators the power to go after companies that collect consumer or employee information without consent, or misuse that data.

The European Union's Network Information and Security Directive offers additional protection, encouraging enterprises to adopt industry-standard IoT protections out of fear of legal action and financial penalty. Of course, the EU's General Data Protection Regulation, which recently took effect, puts further pressure on organizations with IoT infrastructure in place. 

While Europe continues to roll out new regulation designed to protect device users involved in IoT networks, the U.S. remains in a holding pattern. Sens. Mark Warner, Cory Gardner, Ron Wyden and Steve Daines attempted to change that in August 2017 when they drafted the Internet of Things Cybersecurity Improvement Act, according to Congressional records. The bill, which has yet to make it out of the House of Representatives, establishes data security guidelines for IoT vendors that hope to sell their products to the federal government.

"My hope is that this legislation will remedy the obvious market failure that has occurred and encourage device manufacturers to compete on the security of their products," Sen. Warner explained in an interview with Cnet.

However, there has been little activity regarding the legislation, making it unlikely that federal data security regulations will come to fruition any time soon.

"Approximately 72% of employees are considered IT novices."

Avoiding IoT legal entanglements
With the current regulatory environment in play, businesses must be vigilant about maintaining tight IoT data security protections so as to avoid legal issues. How can IT stakeholders effectively protect their connected devices and avoid getting into legal entanglements?

Developing an actual user privacy team is perhaps the most effective strategy, according to Risk Management Magazine. When constructing such groups, enterprises must first address is leadership: Who is in charge of ensuring IoT workflows do not sacrifice user privacy? Normally, organizations select cross-functional executives who have the technical skill sets and managerial experience needed to lead an entire privacy compliance team.

Next, firms must map data collection, storage and dispersal practices, as privacy compliance groups must have a clear understanding of how information moves throughout organizational IoT assets to truly assess the degree to which users are protected. Following this step, privacy compliance teams should draw up detailed internal policies and model vendor contracts that communicate clearly any and all requirements regarding employee or customer data usage. 

With these building blocks in place, businesses can move onto more long-term steps, starting with the creation of internal workflows that promote the privacy-by-design methodology. This ensures that all IoT policies and workflows are designed to account for user privacy, reducing the likelihood of noncompliance and, of course, potential legal trouble.

Lastly, privacy policy teams must work with internal and external IT stakeholders to develop employee training programs that give users the information they need to safely navigate IoT processes. Many data breaches and instances of data loss can be traced back to human error due to the fact that modern workers do not know how to avoid security risks, according to research from Media Pro. Approximately 72 percent of employees are considered IT novices, meaning they can use online tools but do not have the advanced knowledge needed to protect themselves and coworkers from digital threats. A mere 12 percent of workers are what Media Pro deemed "heroes," or highly informed individuals who steer clear of risky behaviors. 

With privacy teams in place and training underway, businesses can address the technical variable of the IoT equation. This involves pinpointing and working with reliable hardware and software providers that hold themselves to high data security standards. It also requires more expansive work, potentially including the launch of IT modernization efforts. Firms can protect themselves from IoT-related legal issues by strengthening their underlying IT infrastructure, as well as the internal and external applications that rely upon these core IT assets. With strong foundations in place, IT stakeholders can put into place highly secure IoT workflows that catalyze organization growth while protecting end users and reducing the likelihood of expensive legal problems.

The Inventu Corporation can help companies looking to bolster their backend systems via IT modernization prior to IoT implementation. We offer a variety of solutions capable of easing the IT modernization process. For example, our innovative Flynet Viewer makes screen integration and modernization easy, meeting employer and staff expectations in a way that feels both familiar and simple. Review our product page to learn more about the Inventu Flynet Viewer and the other solutions in our portfolio.