The Internet of Things (IoT) is disrupting just about every industry. But it may get disrupted itself as the nation’s legal and regulatory system slowly catches up with the massive security and privacy risks it creates.
Not anytime soon, however. “Work in progress” was the operative phrase at a panel session at this week’s RSA conference titled, “Flaming toasters to crashing cars – the Internet of Things and mass liability.”
Most of the problem with establishing legal liability surrounding the IoT is that while its growth is regularly called “explosive,” there is a lot more, and bigger, exploding yet to come.
The number of connected things is expected to expand so exponentially that one of the panelists, Jay Brudz, an attorney at Drinker Biddle & Reath, declared that “Internet of Things” is already a “dumb phrase. In years to come, it’s going to be everything but computers with a human interface, so it’s just going to be the Internet,” he said.
Another panelist, Eric Hibbard, CTO for security and privacy at Hitachi Data Systems, agreed that the IoT, as vast as it appears, is “still in the early days. NIST (National Institute of Standards and Technology) has some materials on this, but the broader set is a work in progress.”
That does not mean nothing is happening. Nithan Sannappa, a privacy and data security attorney at the Federal Trade Commission (FTC), said the agency is interested in IoT consumer products or services, and has brought about 50 cases against various companies, mostly focused on the, “inadequacy of the company’s network.”
Sannappa was the lead attorney on the recent settlement between the FTC and ASUSTek Computer over flaws in its consumer routers.
While the company had promised that customers could, "safely secure and access your treasured data through your router,” the FTC found that, “hackers used easily accessible tools to locate and exploit (them), gaining access to more than 12,900 consumers' storage devices.”
The FTC’s authority comes under its role in sanctioning companies that demonstrate, “unfair and deceptive” business practices.
But the FTC settlements so far haven’t included any heavy financial penalties – in most cases the companies agree to improve their security and to submit to audits. If they violate the terms of the agreement, they can then be subject to fines.
And while that may send a signal to other manufacturers about not promising what they are not delivering, Hibbard and Brudz both said in the rush to get connected devices to the market, security remains an afterthought.
“The business model is to launch them and then fix them later,” Brudz said.
Hibbard said this will become a bigger problem since the IoT amounts to “the building blocks of our future environment. The problem is that we’re only thinking three years ahead when we should be thinking 30 years ahead. It’s like our highway system – it would be better if we could completely rebuild our roads, but we can’t. We can only patch them.”
Sign up for CIO Asia eNewsletters.