IoT, Infosec Trends, and International Privacy Law
Notes from the Privacy + Security Forum in DC
This year I was able to attend the Privacy and Security Forum for the first time. Organized by Daniel Solove and his TeachPrivacy organization, this informative event showcased the deep knowledge of the privacy, security, legal, and compliance speakers and attendees. Everyone at the forum exhibited an obvious passion for their work with their evident enthusiasm for learning and sharing knowledge.
I was fortunate to participate in the forum as both an attendee and as a panelist for the session “Securing IoT: Think outside the Wall” This session centered on the application of privacy principles when it comes to how internet-connected devices and firmware are developed and manufactured. I was joined by Julie Brill, former FTC Commissioner and current partner at Hogan Lovells, and Ned Miller, Chief Technology Sector, Public Sector, at Intel Security Group.
Here are a couple of the main takeaways from our discussion:
- The Internet of Things is bigger than you think – and growing. Home networking hubs are already appearing on many gift guides for this holiday season, and it is estimated by the IDC that by 2020, the Internet of Things will comprise 50 billion devices.
- Industry best practices must include privacy principles and security best practices from the start. From concept and development to transparency in how data is used, enfolding privacy practices into the development of IoT devices is one way to help prevent incidents like the recent DDOS attack on the Internet that brought down the East Coast network.
- Beyond use of the data, we must consider how the device itself is manufactured – with privacy and security by default. For example, webcams should not be open to unauthenticated or default login as a default setting without being activated by the user somehow. Hackers develop botnets by testing default passwords against unsecured devices throughout the Internet, in some cases using Telnet protocols that remain open even after the user thinks they have set a password in the device’s app or web interface.
Top Privacy and Security Trends and Topics
In addition to my own session, I made sure to make the most of the robust speaker list by attending as many other sessions as I could. Below are a few of the relevant session and findings.
“Privacy and Security in the Employment Relationship” with Bret Cohen, Hogan Lovells employment attorney, and Steve Sheinberg, General Counsel of Anti-Defamation League, I found the perspectives of fellow in-house attorneys helpful. Both reinforced employment law as a critical piece of security and privacy in the workplace and discussed the balance of protecting an organization’s intellectual property and security while also respecting the legally-protected rights of employees.
“Connected Healthcare Devices: Proactively Addressing the Privacy and Security Risks,” Lucia Savage, Chief Privacy Officer of the Office of the National Coordinator for Health IT, U.S. Department of Health & Human Services, Nyla Beth Gawel, Principal, Booz Allen Hamilton, and Sumit Sehgal, CTO Healthcare, Intel Security, discussed the widely held impression that organizations are overwhelmed by security and privacy, finding it difficult to understand and protect this field because security is often a very small subset of the overall Information Technology budget – which itself may be underfunded.
“Regulating the Internet of Things and Big Data: The Role of the FTC” featuring Jessica Rich, Director, Bureau of Consumer Protection, FTC and Kurt Wimmer, Partner at Covington & Burling, impressed upon us that IoT will be a priority in enforcement for the agency, which is informed by private sector consultants with deep understanding the technical issues and state of technology. For me, a takeaway from this session was that the FTC is cognizant of the fact that individuals can be identified through analytics, even when personal information is not collected by any one party.
“Privacy and Security in the Connected World” was another IoT session featuring manufacturers Cassius Titus, Senior Counsel at LG, Evie Kyriakides, Chief Privacy Officer and Associate General Counsel of Global Digital, Privacy, and Security at Mars, Inc., and Caroline Boulanger, Digital Attorney at Hasbro. As part of the discussion into connected devices and the privacy of minors under the Children’s Online Privacy Protection Act (COPPA), I noted the similarities and differences between the GDPR, EU law, and COPPA. COPPA elevates scrutiny of data gathering products that may reasonably be purchased and used by children. The necessity to obtain parental consent is not entirely unlike the GDPR’s approach. This makes sense, because they are founded on similar privacy principles.
International Privacy Law Trends
To put US enforcement in the context of the rest of the world, I also attended sessions on international privacy law. Here are three interesting developments abroad:
- Canada and the Personal Information Protection and Electronic Documents Accord (PIPEDA)
Canada, as the largest trading partner with the US, has complex privacy laws that are not well understood by most American businesses. This is partly due to the fact that under Canada’s privacy law, PIPEDA, data breach notification rules are not yet mandatory. Enforcement has been through private action, but that is not expected to remain the case. It is anticipated that the Office of the Privacy Commissioner in Canada is likely to enforce a data breach notification rule by fall of next year.
- Japan and the Act on the Protection of Personal Information (APPI)
Japan has a long legal tradition, with a data privacy law, APPI, that went into effect in 2005. Under APPI, personal information is defined as relating to a living individual in combination with an identifier data element. This definition is similar to some US state personal information definitions. Amendments to APPI are expected to come into force within the next two years and will include:
A new category of “sensitive information,” which is quite similar to “special categories” of personal data under EU lawIntroducing the concept of anonymized data, similar to the EU’s “pseudonymised data”Removal of the de minimus exception in which APPI only applies to databases of more than 5,000 individuals
- South America
The laws of South American countries have developed quickly in order to improve trade with Europe. Since 1999, more than a dozen South American countries have passed data protection acts that look substantially similar to European data protection acts passed under the EU Directive 95/46/EC. Further developments are expected, including new laws in Argentina, Uruguay and Brazil that are intended to match the GDPR. Previously, enforcement of these laws has been considered weak because many data protection authorities are not properly funded and many companies are not aware that the laws exist.