Interconnected with the rise of AI is the growth of the IoT, which is already transforming businesses. Mayer Brown’s Linda Rhodes and Charles King III cover not only the rise of IoT, but also the risks of such technology.
The internet of things (IoT) is driving business transformation. Its impressive data-collection abilities allow companies to harvest huge amounts of information in real time. When paired with sophisticated data analytics tools, such as artificial intelligence (AI), businesses can use this data to derive insights into their business operations — creating new revenue opportunities and increasing efficiency. Global IoT spending is expected to reach $745 billion in 2019 and Gartner, the consulting firm, predicts that by 2021 over 25 billion IoT devices will be in use — up from an estimated 14.2 billion in 2019.[1]
Although IoT introduces new opportunities, implementation of IoT systems comes with challenges and risks. IoT devices operate in highly connected networks. The greater the connectivity of solutions, the more opportunities exist for points of failure in operation. Further, a vulnerability in one node of the network can have broad implications throughout the system. Bad actors that exploit deficient IoT security measures can cause numerous harms, including business delays, breaches of security and privacy and even physical injury.
Another challenge presented by IoT is making effective use of the data. Even when collected in a structured format, companies use less than 50 percent of their data in decision-making, and when data is collected in an unstructured format, that number falls below 1 percent.[2] With these factors in mind, it is not surprising that only 26 percent of companies believe their IoT initiatives have been successful.[3] So, how do companies utilize IoT solutions while avoiding the pitfalls associated with such technology?
Companies that implement digital management strategies up front, beginning with “by design” solutions, can mitigate risk and optimize IoT capabilities. Having a digital management strategy that gives consideration to safety, security, privacy and data management up front will enable businesses to manage risk in order to turn vast amounts of data into actionable intelligence. “Smart” businesses will further understand that their digital management strategy cannot be static in light of changing business requirements, growing threats, evolving regulatory landscapes and the expansion of a supplier base with varied contracting approaches and risk tolerances.
Current Legal Landscape
IoT lawsuits have largely focused on (1) deficient product security and (2) misuse of consumer data.[4] Plaintiffs filing these claims have alleged that IoT security vulnerabilities and data breaches have subjected them to a risk of future harm, although the bad actors have not actually exploited the security vulnerabilities or misused the information exposed to the data breach. In the absence of actual harm, plaintiffs have struggled to assert the Article III standing necessary in order to pursue these claims. The Federal Trade Commission (FTC) has also shown its willingness to bring enforcement actions against IoT manufacturers that engage in unfair or deceptive acts affecting commerce, though the commission has similarly struggled in such cases to demonstrate actual harm.[5] But it is only a matter of time before a successful cyberattack occurs — presenting “fundamentally different” high-stakes IoT litigation.[6]
Federal IoT legislation has been proposed in the United States, but the U.S. federal government has yet to pass any of it into law. The Internet of Things Cybersecurity Improvement Act was introduced in the U.S. Senate in 2017. That Act would require vendors selling IoT devices to the U.S. government to enter into certain security-centered contractual provisions.[7] More recently, the House of Representatives passed the SMART IoT Act, which would task the Department of Commerce with conducting a comprehensive study of the IoT industry.[8]
Although no U.S. federal legislation has become law, California recently became the first state in the United States to pass legislation directed at IoT — focusing on device security.[9] The California law will take effect January 1, 2020 and will require manufacturers of connected devices to equip such devices with a “reasonable security feature.”[10]
Similarly, the European Parliament recently approved the EU Cybersecurity Act, which is a cybersecurity regulation aimed at establishing certification schemes for ICT products, services and processes sold in the European Union.[11] Such certification schemes applied to IoT devices would make such devices safer and more secure.
Even without IoT-specific legislation in place, the regulatory schemes of different industries may affect how companies can use IoT devices in their businesses. For example, the United States Food and Drug Administration regulates “medical devices,” which may include IoT devices, depending on the product’s application. As another example, the United States Department of Transportation (DOT) recently released updated policies and guidance to support the continued development of autonomous vehicles, including the use of IoT data collection to enhance their capabilities.[12] The DOT’s guidance focuses on safety and providing a path forward to implementation of autonomous vehicles.[13] There are, of course, few industries without IoT use cases and applicable regulatory schemes. Additionally, regardless of industry, companies collecting data through IoT applications are likely to be subject to various data privacy laws such as GDPR.
Assessing Risk
The first step to understanding the risk associated with an IoT system is determining what types of data are being collected and the legal obligations associated with those types of data. For instance, a small business that uses IoT to collect inventory data may not have any legal obligations with respect to that data. But a company that manufactures IoT home devices probably collects vast amounts of personal data (e.g., names, protected health information, etc.) and is thus subject to various privacy laws. These privacy laws, GDPR in particular, can be burdensome and, if violated, may trigger large fines.[14]
Additionally, companies should be aware of any contractual obligations that may classify data as “confidential information” — or otherwise restrict use of IoT data. By understanding each data type and the obligations associated with that data, companies can create digital management strategies that keep them in compliance with those contractual obligations.
Every digital management strategy should consider IoT security concerns. IoT devices are notorious for security vulnerabilities — in 2017, nearly half of all companies using an IoT network had been the victim of a security breach.[15] Further, it is estimated that through 2022, half of all IoT security budgets will go toward fault remediation.[16]
Further, not all data is “good” data. Like most instruments, IoT sensors may not always provide accurate readings due to improper calibration or a device malfunction. Using “bad” data can lead to faulty conclusions and negative consequences. This is especially true in the context of AI.
Recommendations for Contracting
Developing a complete IoT solution can be a difficult endeavor that requires multiple vendors to provide an array of products and services such as sensors, data storage, data networks, data ingestion, data cleansing and aggregation and data analytics. The various products are unlikely to be designed to work together, and each of the multiple vendors would prefer to bear as little as possible of the risk of the overall solution while having as much access to the data as possible. This arrangement leads to various potential failure points throughout the IoT system and makes for a complex contracting scheme. But there are contractual approaches and provisions that can mitigate risk.
Conducting due diligence on potential IoT providers is a good start for contracting — in fact, the FTC recommends it.[17] Due diligence should include legal and security inquiries in addition to technical, operational and other forms of diligence. By conducting diligence, companies can ensure that each vendor’s product or service offering can be integrated into the larger IoT solution. Companies can also identify “red flags” that disqualify a vendor from the selection process (e.g., poor financial health, legal concerns or substandard security measures).
Companies should also strive for detailed security and audit provisions in vendor contracts. Notably, the FTC has brought enforcement actions against companies for failure to reasonably oversee the security practices of their service providers — in part due to a lack of security-related contract provisions.[18] Recommended contract provisions will vary depending on each IoT solution, but could include requirements such as compliance with privacy laws and industry standards, audit rights, penetration testing, vulnerability scans, restrictions on system access and data breach notification.
Vendor contracts should assign rights to IoT data. Companies in particular should also carefully consider whether it is appropriate to restrict usage rights for vendors who have access to company data. As noted above, there may be numerous vendors who have access to the data as it flows from the device into networks and eventually to the company. Many of those vendors may be able to monetize the data in ways that do not adversely affect the company. For example, vendors may want to use a company’s IoT data in order to create industry reports and form insights into their business, which may be acceptable so long as the vendor aggregates and anonymizes the data. But even then, if analyzed closely, that data may reveal a company’s identity or provide business advantages to a competitor.
Currency and maintenance of the IoT devices are also major contracting issues. Vendors often update their devices and service offerings. This can cause operational problems for an IoT solution that relies on several different vendors’ devices and services. For example, if a vendor updates its IoT sensors, the integrated data analysis software may require corresponding updates to ensure proper operation of the system, and if the updates require physical access to the IoT devices, updates could be costly to implement. To address this risk, vendor contracts should clearly define maintenance requirements and ensure that IoT systems will be supported over time. It may also be useful to build in substantial notice periods before vendors can make changes that would reduce system functionality.
This is by no means an exhaustive list of issues that should be addressed in IoT contracts. Instead, we intend to provide a context that companies can use to develop their own IoT contracting principles. The common theme is that IoT solutions are often complex and require multiple vendors. Digital management strategies should account for this complexity in order to increase the likelihood of successful IoT initiatives.
[1] Gartner, Gartner Identifies Top 10 Strategic IoT Technologies and Trends (Nov. 7, 2018), available at https://www.gartner.com/en/newsroom/press-releases/2018-11-07-gartner-identifies-top-10-strategic-iot-technologies-and-trends; IDC, IDC Forecasts Worldwide Spending on the Internet of Things to Reach $745 Billion in 2019, Led by the Manufacturing, Consumer, Transportation, and Utilities Sectors (Jan. 3, 2019) available at https://www.idc.com/getdoc.jsp?containerId=prUS44596319.
[2] Tim Stack, Internet of Things (IoT) Data Continues to Explode Exponentially. Who Is Using That Data and How?, Cisco (Feb. 5, 2018), available at https://blogs.cisco.com/datacenter/internet-of-things-iot-data-continues-to-explode-exponentially-who-is-using-that-data-and-how. “Unstructured data does not have a specific format. It can come in any size, shape, or form, which makes it incredibly difficult to manage and analyze. Structured data is limited in the sense that it can only contain certain types and amounts of information in its defined fields, but unstructured data has no such limitations. While structured data is easy to search using basic algorithms, unstructured data doesn’t follow any predictable pattern that a simple algorithm can process. Internet of Things (IoT) devices are also becoming a major source of unstructured data.” Tom Banta, Finding a Needle in a Haystack: How to Manage Unstructured Data, vXchange (Aug. 9, 2019), available at https://www.vxchnge.com/blog/finding-a-needle-in-a-haystack-how-to-manage-unstructured-data.
[3] Stack, supra note 2.
[4] Stephen Lilley, et al., Cybersecurity and Data Privacy: Navigating a Constantly Changing Landscape, Mayer Brown (Oct. 2018) at 10-11.
[5] In 2017, the FTC brought an enforcement action against D-Link Corporation alleging that the company failed to take reasonable steps to secure its consumer routers and IP cameras but was ultimately unsuccessful due to its inability to demonstrate actual harm. Fed. Trade Comm’n v. D-Link Sys., Inc., No. 3:17-CV-00039-JD, 2017 WL 4150873 (N.D. Cal. Sept. 19, 2017). See also Federal Trade Commission, FTC Charges D-Link Put Consumers’ Privacy at Risk Due to the Inadequate Security of Its Computer Routers and Cameras, Federal Trade Commission Press Releases (Jan. 5, 2017), available at https://www.ftc.gov/news-events/press-releases/2017/01/ftc-charges-d-link-put-consumers-privacy-risk-due-inadequate.
[6] Id.
[7] Internet of Things (IoT) Cybersecurity Improvement Act of 2017, S. 1691, 115th Cong. § 3 (2017), available at https://www.congress.gov/bill/115th-congress/senate-bill/1691/text.
[8] SMART IoT Act, H.R. 6032 115th Cong. (2018), available at https://www.congress.gov/bill/115th-congress/house-bill/6032/text.
[9] S.B. 327, 2017-2018 Reg. Sess., (Cal. 2018), available at https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201720180SB327.
[10] Id.
[11] Michael Thaidigsmann, EU Cybersecurity Act clears final parliamentary hurdle (Mar. 13, 2019), available at https://inhouse-legal.eu/public-policy-regulations/eu-cybersecurity-act-passed/. ICT products are hardware and software elements of network and information systems.
[12] United States Dept. of Transportation, AV 3.0: Preparing for the Future of Transportation (Oct. 2018), available at https://www.transportation.gov/sites/dot.gov/files/docs/policy-initiatives/automated-vehicles/320711/preparing-future-transportation-automated-vehicle-30.pdf.
[13] Id.
[14] EU General Data Protection Regulation (GDPR): Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ 2016 L 119/1, available at https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679.
[15] AJ Dellinger, Internet of Things Safety: Nearly Half of U.S. Firms using IoT Hit by Security Breaches, Newsweek (June 5, 2017), available at https://www.newsweek.com/iot-security-internet-things-safety-breaches-businesses-how-protect-621230.
[16] Michelle Knight, Data Management and the Internet of Things, Dataversity (Dec. 12, 2018), available at https://www.dataversity.net/data-management-internet-things/.
[17] In the Matter of The Internet of Things and Consumer Product Hazards, Comments of the Staff of the Federal Trade Commission’s Bureau of Consumer Protection, Docket No. CPSC-2018-007 at 7 (June 15, 2018), available at https://www.ftc.gov/system/files/documents/advocacy_documents/comment-staff-federal-trade-commissions-bureau-consumer-protection-consumer-product-safety/p185404_ftc_staff_comment_to_the_consumer_product_safety_commission.pdf.
[18] Id. at 7-8.