FTC Calls for Greater Protection than HIPAA for Internet of Things
This week, the FTC published a new report calling for greater privacy and security controls to be implemented covering the Internet of Things (IoT).
The growth of digital technology over the past few years has seen numerous new mobile devices come to market which can record and share detailed information about the owner’s health and lifestyle. Digital cameras can now take photos at the press of a button, while those images can just as easily be shared with others. Home automation systems similarly store data, while wearable devices such as fitness trackers and Smartwatches record health metrics and use GPS systems to track individuals.
All of this highly detailed data is stored in the cloud, on the devices themselves, and potentially on the devices of friends, family and acquaintances. There is potential for this data to be shared with unauthorized individuals and controls must be put in place to reduce the risk of unauthorized disclosure.
In an increasingly interconnected digital world, data privacy and security is of paramount importance. The FTC pointed out that six years ago the number of internet connected devices exceeded the number of humans on the planet for the first time in history. However, we are only just starting to explore the potential of this new technology.
3 Steps To HIPAA Compliance
Please see HIPAA Journal
- Step 1 : Download Checklist.
- Step 2 : Review Your Business.
- Step 3 : Get Compliant!
The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.
According to industry experts, in another six years the number of devices will have risen to 25 billion, with that figure expected to double by 2050. Data privacy and security issues therefore need to be resolved now to ensure that consumers are properly protected and new standards introduced to keep personal data secure.
The report highlighted four areas which need to be addressed as a matter of urgency:
- Data minimization
- Notice and choice
- New Legislation
Security is an area which product developers must address, although the exact measures taken should be tailored to the device in question and based on the nature and quantity of data recorded. The FTC calls for developers to build data security protections into their devices as they are developed, rather than bolting on patches and fixes after the event. Those data security measures should be applied on multiple levels and be rigorously tested prior to the device coming to market.
Data minimization was highlighted as critical to ensure that in the event of a security breach, the data which can be potentially exposed is kept to a minimal level. Any data recorded by IoT devices must be kept only as long as necessary and then it must be securely erased. Not only will this lower the risk to consumers, it also means the devices will not be such a potentially lucrative target for cybercriminals. The FTC also pointed out that large data stores pose a risk that the data will eventually be used in ways that “that departs from consumers’ reasonable expectations.
Notice and Choice
Consumer choice about what data is collected and stored is potentially one of the bigger challenges for IoT developers. Individual privacy preferences may be difficult to implement since many devices are purposely designed to record, store and share data. However, efforts should be made by developers to offer consumers the choice about the data that is stored and shared, as far as is reasonably possible.
The FTC is calling for new legislation to protect consumers, although it appreciates that there is a balance to be struck between regulation and innovation and it accepts that the introduction of new regulations at this stage in IoT development may hold technology back. It does believe there is some middle ground which can be occupied, such as the development of self-regulatory programs which will encourage greater privacy and security controls to be incorporated into new devices.
The FTC has called for congress to pass new legislation that specifically covers IoT in order to raise baseline privacy standards and to plug gaps in existing federal laws.
HIPAA Privacy and Security Rules were issued to protect the health data of consumers, but only if the data is recorded and stored by HIPAA-covered entities. If health data is collected by healthcare providers, clearinghouses, health plans, insurers and their Business Associates, privacy and security rules must be adhered to. However, if health-related data is collected and stored by non-HIPAA-covered entities – fitness band manufacturers for example – they are not bound by HIPAA rules. The FTC is arguing that new legislation is critical in order to protect all sensitive health information, and the controls should be in place to secure the data, regardless who collects and stores it.
Policing IoT Privacy and Security
Without changes to federal laws, the FTC will not be able to police the IoT industry as rigorously as it wishes. At the present time the FTC lacks the authority to respond to certain IoT-related privacy and security practices, in particular in the area of privacy disclosures or consumer choice, unless it is able to determine deception or unfairness.
Until new legislation is introduced the FTC will be continuing to work with the tools it has available to ensure the IoT industry takes privacy and security seriously. These measures include reporting companies or individuals that break current privacy and security laws to law enforcement, educating both businesses and consumers on data privacy, taking part in stakeholder groups to help set new standards and seeking advocacy opportunities in both federal and state legislation to ensure the privacy of consumers is better protected.
The report was compiled following an FTC-hosted workshop held in November 2013 and has been criticized by one FTC commissioner, Jeffrey Wright, for being premature.
According to Wright, “A record that consists of a one-day workshop, its accompanying public comments, and the staff’s impressions of those proceedings, however well-intended, is neither likely to result in a representative sample of viewpoints nor to generate information sufficient to support legislative or policy recommendations.”