Since many IoT devices capture data, IoT companies are fielding and will increasingly field requests for the data in connection with criminal or civil proceedings. Attorneys from Morrison & Foerster discuss the growing demand and what IoT companies should consider going forward.
There are an estimated 10 billion internet of things (IoT) devices — a number forecast to skyrocket to more than 64 billion by 2025.1 Devices that historically were never internet‑connected now collect and share zettabytes (1 zettabyte = 1 trillion gigabytes) of data about people (through consumer‑facing devices) and companies (through industrial IoT devices).2
Companies that manufacture smart devices now are also data companies, whether they want to be or not — and the data they collect is an increasingly rich target for law enforcement and other governmental requests, as well as subpoenas and other legal demands for production of data (collectively, “data requests”). Legal counsel are seeing an increasing number of companies across industries receiving law enforcement requests for stored data, and yet many IoT companies have not yet considered how they will comply with them.
In recent years, debates about law enforcement access to data have focused on interactions between the U.S. government and major technology companies, but smaller IoT companies should expect to receive data requests in connection with criminal and/or civil proceedings as well. To effectively respond, IoT companies should consider the following:
Design IoT Products and Services with an Eye Toward Future Law Enforcement and Similar Data Requests
As a general principle, the less data a company collects or retains, the less data that company may be required to disclose in response to a data request.
Initial decisions about a product’s or service’s data collection, storage, retention and encryption practices can directly impact what data is requested by law enforcement and what data is available to respond to requests. For example, will your smart-home device track when and where a user activates devices, or will it simply enable remote activation? If you decide to track device usage, what type of information will you collect, how long will you store it and in what format? The more data you collect and the more accessible you make that data, the greater the likelihood you will receive a data request. Companies that make IoT devices should consider how their design decisions might give rise to such requests and the associated challenges they might pose.
Develop a Protocol in Advance for Responding to Data Requests
If today your company were to receive an urgent demand from law enforcement for your customers’ data on alleged national security grounds, would you know what to do? Developing a protocol in advance can help you avoid turning each request into an unnecessary fire drill and increase your odds of responding appropriately. In developing this type of protocol, it is valuable to consider operational processes, legal framework and corporate philosophy:
Identifying Stakeholders and Decision-Making Authority
Do you know which stakeholders within your company would need to be consulted about the company’s response to the demand and who has the final decision-making authority? The odds are high that this decision will go beyond the legal function and will include stakeholders involved in managing the customer relationship, public relations and executive management. The stakes are high, with your company facing government pressure on one side and potential legal, business and PR risks from the customer on the other side, so you’ll want to identify in advance who within your company needs to be at the table.
Understanding the Legal Requirements
Do you have a general understanding of the legal frameworks that apply to the types of data requests that you may receive, such as requests under the federal Stored Communications Act (SCA) or applicable laws in other countries? While there is no need to include an extensive legal analysis in your protocol for handling data requests, it is helpful to identify the typical legal frameworks that may be relevant for your business to jump-start your analysis in a particular situation.
Different types of data require different legal processes. Some IoT companies may collect data subject to the SCA, for example. Under the SCA, there are different rules for disclosing subscriber information (such as name or IP address) as compared with content (such as the substance of an audio or video recording). It is helpful to categorize the data your company collects and determine the general legal frameworks for each to avoid ad hoc and repetitive analysis.
Applicable laws may provide important exceptions. For example, the SCA permits companies to voluntarily disclose to law enforcement – without a legal process – the contents of electronic communications upon a good faith basis that an emergency involving danger of death or serious physical injury requires disclosure without delay. How will the company determine whether circumstances warrant an emergency? Who needs to be notified, and how will the company expedite the response? These are challenging questions, and IoT companies should be prepared to answer these questions before receiving an emergency request.
IoT companies – and particularly those with global customer bases – should expect requests from foreign law enforcement agencies. Because the legal mechanism for such requests can take months or even years, foreign law enforcement agencies will often issue preservation requests (directing the recipient to preserve categories of records for possible production) along with a demand. Establishing standards in advance about when and how long to honor such requests may prevent a company from later being criticized for failing to cooperate with foreign regulators.
Deciding Your Company’s Philosophy on Data Requests
Beyond the legal issues, it is also important to consider any commitments your company has made to its customers or the public, as well as your company’s overall philosophy when handling data requests. Some companies have a general policy of turning over information only when accompanied by a valid legal process, even if this may incur additional pressure and cost in fighting the data request. Some have a policy of notifying customers when their data is turned over (and many have made contractual commitments to notify B2B customers to the extent permitted by applicable law). Some release aggregate data showing the types of requests they receive and information they provide. Companies that provide IoT devices should consider what their overall approach will be to such requests consistent with applicable legal requirements, their brand and their corporate philosophy.
Anticipate the Need to Educate Law Enforcement or Other Requesting Parties About Your Product or Service
To avoid legal processes that are unclear, inappropriate or overbroad, IoT companies should anticipate the need to accurately and succinctly explain how their product or service works, what data is available, the location of the data, retention periods, any encryption that prevents access to certain data and which identifiers must be included in the legal process for the company to respond. Some companies proactively provide this information in public guides; doing so in advance of a legal process can streamline and narrow the response. This type of overview might be included as an exhibit to the data requests protocol to be ready to modify and use in a particular request as needed.
As IoT companies continue to grow, so too will public and private requests for the data these companies collect. Internet companies already field hundreds of thousands of requests annually, and the next generation of IoT data is sure to be of similar interest to law enforcement and litigants. Although a subpoena, court order or search warrant cannot be avoided or ignored, planning for such requests in advance will ensure your company is prepared to meet its legal obligations in a manner consistent with its values and without unnecessary risk or burden.
1 Peter Newman, IoT Report: How Internet of Things technology growth is reaching mainstream companies and consumers, Business Insider (Jan. 28, 2019), https://www.businessinsider.com/internet-of-things-report.
2 See, e.g., Cisco Global Cloud Index: Forecast and Methodology, 2016-2021 4 (Nov. 19, 2018), https://www.cisco.com/c/en/us/solutions/collateral/service-provider/global-cloud-index-gci/white-paper-c11-738085.pdf.