FTC Report Urges Security by Design for Consumer Internet of Things
As the internet of things (IoT) affects more consumers, businesses must build security into the devices at the outset rather than as an afterthought, a report by the Federal Trade Commission (FTC) staff recommends.
The report, Internet of Things, Privacy & Security in a Connected World, is based upon a workshop last fall discussing what consumer protections are necessary as the IoT spreads. IoT simply is devices connected to the internet. They include health and fitness monitors, home security devices, heart monitors, household appliances, and cars. The FTC estimates there are over 25 billion connected devices in use worldwide, which will grow to 50 billion by 2020.
The connectivity offers not only benefits to consumers but a variety of potential security risks that could undermine consumer confidence in connected devices. The risks include:
- Enabling unauthorized access and misuse of personal information.
- Facilitating attacks on other systems.
- Creating risks to personal safety.
To avoid some of the risks, the FTC report notes that companies should design security into the devices, conduct privacy or security risk assessments, minimize the data collected and retained, and test the security measures before launching the products.
The report recommends that consumers be notified when their information is being collected and used, especially when the data collection is beyond consumers’ reasonable expectations.
In addition, the report says, “Companies should limit the data they collect and retain, and dispose of it once they no longer need it.”
The report finds it is “premature” to pass IoT-specific legislation now. However, the report affirms the FTC’s earlier recommendation that Congress enact “strong, flexible, and technology-neutral” legislation to strengthen the FTC’s “existing data security enforcement tools and to provide notification to consumers when there is a security breach. General data security legislation should protect against unauthorized access to both personal information and device functionality itself.”