Andrea Matwyshyn, professor of Law at Northeastern University and Microsoft Visiting Professor at Princeton’s Center for Information Technology Policy, said, “Security enables good functionality and consumer trust, but we need a regulatory scalpel, not a regulatory ax.”
Regulations can ensure better quality, functionality, security, and privacy, but Matwyshyn warned, “Some regulation can be damaging. When we start to apply a heavier lens, we’re disrupting innovation.”
Arguing for diversity in the marketplace, Matwyshyn raised the question of technology suitability. “Just because we can add Bluetooth or WiFi doesn’t mean it’s optimal. There are consumers that don’t want the most advanced highly connected device.”
While Matwyshyn argued that fewer connected devices is a market opportunity, the IoT has infiltrated itself into our society, and the latest innovations—whether needed or not—are in high demand. In order to secure the data and the devices, information sharing needs to change.
“One key focus is the idea of information sharing,” said Matwyshyn. “The average quality of security advisories is not good. We need information rich security advisories.”
Failing to provide reasonable security could result in trouble with the FTC for enterprises, trouble that companies have been dealing with since long before the explosion of IoT. Brill spoke of a recent case that came out of the 3rd circuit ruling that the FTC has the authority to prohibit unfair acts in commerce if a company fails to provide reasonable security.
The courts have established that it is reasonable to expect companies are protecting data and privacy, which means that developers need to do more to protect privacy and security by design. To that end, the FTC has started a new enterprise education initiative to educate businesses on promoting good data and privacy security practices.
Seal programs like those available through United Labs, a safety consulting and certification company, are one way to bring greater awareness of privacy and security to the enterprise, but Brill argued, “It needs to be a real program and a good program. There is also a role for self-regulation.”
For many businesses, staying out of the headlines is motivation enough to self-regulate. Lefkowitz said, “If there is a breach of a product or a device, my first concern is not the FTC. It’s the front page of the Wall Street Journal.”
Lefkowitz argued that there is a really important place in the IoT for certification and seal programs. “When putting out a baby monitor, is it important to have a seal? Yes. But GE is putting out airplane engines.” Does a seal really mean anything when it is stamped on an engine or a wind turbine?
GE is a company betwixt the world of old and new, as it has successfully transitioned to a company that is putting out connected devices. Though they’ve been in the space a long time, the industrial internet has brought attention to its newer more connected devices. “We’ve developed internal standards, and there is the ongoing paranoia about oopsies,” said Lefkowitz.
Sign up for CIO Asia eNewsletters.