No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Compliance

Why and How IoT Companies Should Prepare for Law Enforcement and Other Demands for Production of Data

Anticipating the Inevitable

by Christine Lyon, David Newman, Alexandra Laks and Peter Carey
August 14, 2019
in Compliance, Featured
IOT illuminated above a grid of connected devices

Since many IoT devices capture data, IoT companies are fielding and will increasingly field requests for the data in connection with criminal or civil proceedings. Attorneys from Morrison & Foerster discuss the growing demand and what IoT companies should consider going forward.

There are an estimated 10 billion internet of things (IoT) devices — a number forecast to skyrocket to more than 64 billion by 2025.1 Devices that historically were never internet‑connected now collect and share zettabytes (1 zettabyte = 1 trillion gigabytes) of data about people (through consumer‑facing devices) and companies (through industrial IoT devices).2

Companies that manufacture smart devices now are also data companies, whether they want to be or not — and the data they collect is an increasingly rich target for law enforcement and other governmental requests, as well as subpoenas and other legal demands for production of data (collectively, “data requests”). Legal counsel are seeing an increasing number of companies across industries receiving law enforcement requests for stored data, and yet many IoT companies have not yet considered how they will comply with them.

In recent years, debates about law enforcement access to data have focused on interactions between the U.S. government and major technology companies, but smaller IoT companies should expect to receive data requests in connection with criminal and/or civil proceedings as well. To effectively respond, IoT companies should consider the following:

Design IoT Products and Services with an Eye Toward Future Law Enforcement and Similar Data Requests

As a general principle, the less data a company collects or retains, the less data that company may be required to disclose in response to a data request.

Initial decisions about a product’s or service’s data collection, storage, retention and encryption practices can directly impact what data is requested by law enforcement and what data is available to respond to requests. For example, will your smart-home device track when and where a user activates devices, or will it simply enable remote activation? If you decide to track device usage, what type of information will you collect, how long will you store it and in what format? The more data you collect and the more accessible you make that data, the greater the likelihood you will receive a data request. Companies that make IoT devices should consider how their design decisions might give rise to such requests and the associated challenges they might pose.

Develop a Protocol in Advance for Responding to Data Requests

If today your company were to receive an urgent demand from law enforcement for your customers’ data on alleged national security grounds, would you know what to do? Developing a protocol in advance can help you avoid turning each request into an unnecessary fire drill and increase your odds of responding appropriately. In developing this type of protocol, it is valuable to consider operational processes, legal framework and corporate philosophy:

Identifying Stakeholders and Decision-Making Authority

Do you know which stakeholders within your company would need to be consulted about the company’s response to the demand and who has the final decision-making authority? The odds are high that this decision will go beyond the legal function and will include stakeholders involved in managing the customer relationship, public relations and executive management. The stakes are high, with your company facing government pressure on one side and potential legal, business and PR risks from the customer on the other side, so you’ll want to identify in advance who within your company needs to be at the table.

Understanding the Legal Requirements

Do you have a general understanding of the legal frameworks that apply to the types of data requests that you may receive, such as requests under the federal Stored Communications Act (SCA) or applicable laws in other countries? While there is no need to include an extensive legal analysis in your protocol for handling data requests, it is helpful to identify the typical legal frameworks that may be relevant for your business to jump-start your analysis in a particular situation.

Different types of data require different legal processes. Some IoT companies may collect data subject to the SCA, for example. Under the SCA, there are different rules for disclosing subscriber information (such as name or IP address) as compared with content (such as the substance of an audio or video recording). It is helpful to categorize the data your company collects and determine the general legal frameworks for each to avoid ad hoc and repetitive analysis.

Applicable laws may provide important exceptions. For example, the SCA permits companies to voluntarily disclose to law enforcement – without a legal process – the contents of electronic communications upon a good faith basis that an emergency involving danger of death or serious physical injury requires disclosure without delay. How will the company determine whether circumstances warrant an emergency? Who needs to be notified, and how will the company expedite the response? These are challenging questions, and IoT companies should be prepared to answer these questions before receiving an emergency request.

IoT companies – and particularly those with global customer bases – should expect requests from foreign law enforcement agencies. Because the legal mechanism for such requests can take months or even years, foreign law enforcement agencies will often issue preservation requests (directing the recipient to preserve categories of records for possible production) along with a demand. Establishing standards in advance about when and how long to honor such requests may prevent a company from later being criticized for failing to cooperate with foreign regulators.

Deciding Your Company’s Philosophy on Data Requests

Beyond the legal issues, it is also important to consider any commitments your company has made to its customers or the public, as well as your company’s overall philosophy when handling data requests. Some companies have a general policy of turning over information only when accompanied by a valid legal process, even if this may incur additional pressure and cost in fighting the data request. Some have a policy of notifying customers when their data is turned over (and many have made contractual commitments to notify B2B customers to the extent permitted by applicable law). Some release aggregate data showing the types of requests they receive and information they provide. Companies that provide IoT devices should consider what their overall approach will be to such requests consistent with applicable legal requirements, their brand and their corporate philosophy.

Anticipate the Need to Educate Law Enforcement or Other Requesting Parties About Your Product or Service

To avoid legal processes that are unclear, inappropriate or overbroad, IoT companies should anticipate the need to accurately and succinctly explain how their product or service works, what data is available, the location of the data, retention periods, any encryption that prevents access to certain data and which identifiers must be included in the legal process for the company to respond. Some companies proactively provide this information in public guides; doing so in advance of a legal process can streamline and narrow the response. This type of overview might be included as an exhibit to the data requests protocol to be ready to modify and use in a particular request as needed.

As IoT companies continue to grow, so too will public and private requests for the data these companies collect. Internet companies already field hundreds of thousands of requests annually, and the next generation of IoT data is sure to be of similar interest to law enforcement and litigants. Although a subpoena, court order or search warrant cannot be avoided or ignored, planning for such requests in advance will ensure your company is prepared to meet its legal obligations in a manner consistent with its values and without unnecessary risk or burden.


1 Peter Newman, IoT Report: How Internet of Things technology growth is reaching mainstream companies and consumers, Business Insider (Jan. 28, 2019), https://www.businessinsider.com/internet-of-things-report.

2 See, e.g., Cisco Global Cloud Index: Forecast and Methodology, 2016-2021 4 (Nov. 19, 2018), https://www.cisco.com/c/en/us/solutions/collateral/service-provider/global-cloud-index-gci/white-paper-c11-738085.pdf.


Tags: Internet of Things (IoT)
Previous Post

The Challenges for and Benefits of Monitors in Health Care

Next Post

Microsoft FCPA Enforcement Action

Christine Lyon, David Newman, Alexandra Laks and Peter Carey

Christine Lyon, David Newman, Alexandra Laks and Peter Carey

Christine Lyon is a partner in the Privacy & Data Security practices at Morrison & Foerster, based in Palo Alto. She helps companies develop privacy and data protection strategies for new products and services, as well as privacy compliance programs for their customer and employee data.
David Newman is a partner the National Security and Global Risk & Crisis Management practices at Morrison & Foerster, based in Washington, D.C. and New York. With experience as a senior White House and U.S. Department of Justice attorney, he guides clients through sensitive matters pertaining to cybersecurity, privacy, national security and global risk and crisis management.
Alexandra Laks is a San Francisco-based associate in Morrison & Foerster’s Litigation practice group and a member of the firm’s Privacy & Data Security and Class Actions & Mass Torts groups.
Peter Carey is a Washington, D.C.-based associate in Morrison & Foerster’s Global Risk and Crisis Management practice group and a member of the firm’s National Security and Investigations and White Collar Defense groups.

Related Posts

hands typing on laptop, smartphones on the table, work anywhere concept

Oomnitza Delivers IT Management Essential to Business Continuity

by Corporate Compliance Insights
March 9, 2021

Provides critical solutions for the work-from-anywhere environment to address massive shifts in operational models, changed IT ecosystems and technology sprawl...

phishing, scam, hacker business concept in red and blue neon gradients

New Report Unveils the Most Vulnerable Sectors and Departments to Phishing Attacks

by Corporate Compliance Insights
September 14, 2020

Cyberattacks cause great harm to the business world due to their evolving nature, and it is expected that cyberattacks will...

snarling hyena on neutral background

IoT Devices: Lion Cubs Surrounded by Hyenas

by James McQuiggan
July 24, 2020

IoT risk management and security don’t seem to get the attention they deserve until there’s a data breach. KnowBe4’s James...

floating icons, concept of internet of things

What Is Next for IoT Regulation?

by Maria Zervaki
May 1, 2020

Cyberattacks on connected devices continue at a rapid pace, and regulators are well aware of this fact. Access Partnerships’ Maria...

Next Post
Microsoft FCPA Enforcement Action

Microsoft FCPA Enforcement Action

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Code of Conduct Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT