The legal issues with IoT – and the security risks of boundless data
Data security is a key concern with the Internet of Things, taking into account just how much data can be collected. With various IoT devices talking to each other, the potential for a data security breach is high and with more and more IoT devices coming onto the market, this issue is not going to go away.
For example, take the smart meter initiative led by the UK government. The intention is that by 2020, over 53 million smart meters shall be installed in over 30 million homes and small businesses. The potential here for households and small businesses to join the “grid” and be connected through an IoT device is huge.
With increased data collection, comes an increase in the risk of a breach or failure in data security. Is there a risk that this information could end up in the wrong hands? Absolutely, and to make matters worse, some IoT devices have not been designed to automatically update with new security updates and patches, leaving these devices without any security updates. There is also the risk that users may not update default passwords provided with the IoT devices or fail to update them with sufficiently strong passwords.
If hackers infiltrate IoT devices, the potential scope for damage is great. Take for example a smart car - a successful hack could impact the functions and safety of the car. Beyond personal use, IoT devices can be used in various businesses and institutions including hospitals. In hospitals, IoT devices can be used to track the vital information of patients, which medics can use to determine required medication. If these systems where hacked the result could potentially be life threatening. Whilst these examples are extreme, they do highlight the important of getting security right and ensuring user confidence and trust.
The security of data goes hand in hand with data protection. The current data protection regime in the UK is governed by the Data Protection Act 1998 which controls how personal data is used by organisations. There have been recent developments in respect of EU data protection law and the new General Data Protection Regulation (GDPR) will come into force on 25 May 2018. Regardless of the UK’s EU membership status, any company which holds or uses personal data of EU citizens will still be required to comply with the General Data Protection Regulation. In addition, there is also the likelihood that in preparation to leave the EU, the UK will reform its current data protection law to bring it in line with the General Data Protection Regulation.
With the tightening up of the data protection regime, this will impact on the obligations and responsibilities imposed on those businesses involved in the collection and processing of data from IoT devices - including a requirement to carry out privacy impact assessments, increased scrutiny as to obtaining the consent of the user to process their personal information and enhanced data subject rights, to name but a few.
Adopting a privacy by design approach and incorporating privacy impact assessments into the design stage of the IoT devices should put data privacy at the forefront of the minds of the designers and manufacturers of IoT devices.
Linked with data protection is data sovereignty - the principle whereby digital data stored in a country will be subject to the laws of that country. The data from IoT devices may be held in the “cloud” or in a data center and it is vital to understand where that data resides. For example, if this is in the US, that data would also be subject to the laws of the US. This is particularly relevant given the developments in respect of the Safe Harbour Agreement and the EU-US Privacy Shield. IoT device providers will need to be clued up on where the data is to be located so it is clear which laws and regulations will apply in respect of that data.
With the potential for IoT devices to transform the way in which we conduct our daily lives, we have to question what happens in the event these devices get it wrong? Where does the liability sit?
Take for example smart, driverless cars. The potential is for these vehicles to radicalise the way in which we get from A to B. However, what happens in the event the car, whilst in driverless mode, is caught speeding or worst still, what happens if the car causes an accident? Who takes responsibility for this?
Recently, there has been a situation where autopilot driverless technology resulted in the death of the driver - the first known fatality resulting from such technology. That particular car manufacturer has stated that the computer programme used in the car is still in a ‘beta testing phase’, this is something which the driver is required to acknowledge prior to using the technology, and that drivers are warned to keep their hands on the wheel at all times and be “prepared to take over at any time”. Other car manufacturers have taken the stance that they will take full responsibility for their driverless technology – giving the driver certainty as to how liability would be allocated in the event of an accident. This approach sees a shift on responsibility from the driver to the car manufacturer. However, this approach is not currently the norm.
In support of the progression of driverless technology, the Department for Transport has initiated a consultation in respect of proposed changes to the laws and rules surrounding driverless cars and insurance cover for such technology. Under the proposed new measures, the rules would change, allowing for driverless cars to be insured and the Highway Code and associated regulations will be updated to support the use of driverless car features. No doubt steps such as this will pave the way for new regulations and provide drivers with the added confidence needed when deciding whether to purchase and use such technology.
The future of the Internet of Things
With much investment in the industry, the IoT’s market will no doubt continue to grow. Some of the gimmicks may fall by the way side but there is considered to be real benefit to a number of the smart products available today and envisaged for the future.
However, key to the success of the Internet of Things is consumer confidence. Manufacturers will need to convince consumers that the use of IoT devices is safe and secure and to do this, much work is still needed.
Interested in hearing industry leaders discuss subjects like this and sharing their IoT use-cases? Attend the IoT Tech Expo World Series events with upcoming shows in Silicon Valley, London and Amsterdam to learn more.
- » Why it's time to break down boundaries to unleash the full potential of IoT
- » Assessing the skills gap in the Internet of Things – and how smart recruitment is helping
- » Thales, Telstra, Microsoft and Arduino working on scalable IoT security with GSMA standard
- » Arduino-compatible dev board Frame.IoT seeks crowdfunding
- » Märt Kroodo, CEO, 1oT: On using eSIM technology to solve IoT connectivity – and where telcos stand