“If we had computers that knew everything there was to know about things—using data they gathered without any help from us—we would be able to track and count everything, and greatly reduce waste, loss and cost,” Kevin Ashton wrote in the RFID Journal back in 1999. Today, the Internet of Things (IoT), with connected devices literally everywhere, is moving us towards this vision of a society in which businesses run with maximum efficiency, resources are used sparingly and wisely, and our every individual need is anticipated and met at the click of a mobile device button. It’s already happening: Internet-connected devices monitor buildings, factories, cities, and crops to conserve energy and other resources, refrigerators can text you grocery lists, and your mobile phone can find the nearest Starbucks for you and order your favorite drink so it’s ready when you arrive.

Webinar: Criminal Access to Healthcare Information: What Can Be Done To Better Protect PHI?

The flip side of this vision is a dystopia where individuals are monitored every moment of every day, personal privacy is a distant memory, and individuals and organizations are exposed to constant threats of theft and worse. (A headline in The Guardian this year asked, “Internet of things: the greatest mass surveillance infrastructure ever?”)

All the services provided by the IoT depend on monitoring something—a user’s GPS location, the amount of electricity or fuel being used, the location of a package in transit, the amount of medicine being dispensed by a medical device, the image feed from a security camera—and all those monitors are transmitting massive amounts data that can be used or misused by anyone with the determination to get it. The IoT is exploding, and if the businesses that are benefitting from it don’t get ahead of the privacy and security issues, they and their customers will quickly become victims of their own success.

Privacy in the Age of Big Data

Quote: Historically, privacy was almost implicit, because it was hard to find and gather information. But in the digital world, whether it's digital cameras or satellites or just what you click on, we need to have more explicit rules—not just for governments but for private companies. —Bill Gates

Whenever a device transmits data, there is a privacy risk. For example, in May 2015, CNN Money reported that hackers in stores were stealing Starbucks customers’ mobile payment information and using their Starbucks apps to drain bank accounts via the auto-reload feature. Researchers have shown that everything from medical devices to vehicles can be hacked [links to our medical device and IoT3 articles], and there is always the risk that a would-be burglar will tap into a smart home to find out whether the owner is there. (In fact, the Federal Trade Commission (FTC)’s first complaint related to the IoT was against TRENDnet Internet-connected cameras that allegedly failed to protect consumer credentials.)

But the other large privacy risk of the IoT is the sheer volume of personal data that will be available to organizations via these devices, and the challenge of protecting it. Cisco research estimates that the IoT will generate over 400 zettabytes of data annually by 2018. (That’s 400 trillion gigabytes.) In addition to information directly related to whatever service or process the device delivers, organizations will be able to gather a potential treasure trove of data on trends, user behavior and preferences, locations, and more. In many cases, the inclination will be to warehouse most or all of that information and figure out how to leverage it later. Data analysis could reveal new opportunities for product offerings, personalized advertising, location-specific services, or selling information to other businesses. Smart devices helping businesses to be smarter. What could be more fitting? But the IoT is in its relative infancy, and how organizations handle the privacy and security of all this information will determine their success in using it, and whether regulatory agencies decide to get involved.

Containing the Risks of IoT Big Data

The larger the data store, the more attractive it will be to cyber-criminals, and the data being generated by the IoT could dwarf today’s typical data repositories. The sheer variety of IoT devices and services also guarantee that these data stores will contain more than basic SSNs and financial information. Access to very personal information will be rich fodder for phishing and other targeted attacks meant to rob victims or use them to gain access to business networks. Five years from now, as IoT devices become even more ubiquitous, we will be seeing news of cyber-schemes and scams that we can’t even imagine today.

At the beginning of 2015, the FTC issued a report on the IoT, The Internet of Things: Privacy and Security in a Connected World. In addition to looking at issues around device security, the report discusses the risks of data collection from the IoT. The report makes two high-level recommendations to organizations capturing data from the IoT:

  • Minimize data stores by determining up front what data could be truly useful from a business standpoint, then limiting how much will be collected and retained. If you do choose to collect data sets containing personal information, de-identify the data wherever possible.
  • Give users notice and choice about how their data will be used and with whom it may be shared. The report notes that this can be challenging with devices that don’t have a user interface, but the packaging on consumer devices, for example, could direct users to a web site where they can review privacy policies and set their preferences.

The FTC report also notes that IoT technology and business models are developing fast—too fast for regulators to define appropriate IoT-specific privacy protection—so technology vendors and businesses need to develop their own best practices and policies. (With the implicit message that, if business doesn’t set standards, the government will.) Precisely because the situation is developing so fast, we recommend that privacy and security professionals move preemptively to define best practices for IoT usage in their own organizations.

  • Work with IT, information security, and business units to educate staff on IoT risks and build a process for assessing and deploying IoT technologies in business processes.
  • Designate IoT experts within the organization to aid business units in technology selection, risk assessment, and planning. (The experts may be existing staff who you ask to educate themselves on IoT technology, standards, and practices.)
  • Make sure the selection and planning process includes risk assessment based on the technology selected, the data collected, and the chain of custody of information from the device to the data center and throughout business processes.
  • Require that before data is collected, there is a plan defining how it will be used, business partners and channels with which it may be shared, and how to offer consumers information and choice on its use.
  • If you are in a regulated industry such as healthcare, finance, or energy, make sure that IoT business practices meet your specific regulatory requirements.
  • Choose the most secure IoT technology available, and push for continuous improvement in security standards. A recent article on the tech site Betanews enthused about the unlimited possibilities for connecting “things” to the Internet, and the possibilities for connecting even old and outdated devices. Remember that every device is an endpoint into your business networks. Given that many devices (even the newest ones) lack effective security, the best advice on connecting old devices is “Don’t.”
  • Once business teams start collecting data from IoT business processes, they will come up with new ways to leverage it. Check in regularly to maintain their awareness of privacy issues and make sure that that new uses aren’t putting sensitive information at risk.

The business opportunities of the IoT are exciting and transformational, and your business should be prepared to take advantage of them. But, as a recent white paper from the Industrial Systems Audit and Control Association (ISACA) noted, business teams outside of privacy and security are likely to focus almost exclusively on the business potential. (Check out the white paper for a really good list of do’s and don’ts for adopting IoT technology.) To leverage the IoT successfully, your business needs to move quickly but cautiously. You can help them prepare by putting safety checks in place now.

Webinar: Criminal Access to Healthcare Information: What Can Be Done To Better Protect PHI?