The Federal Trade Commission (FTC) in January released a staff report that recommends best practices that businesses can implement to reap the benefits from a growing world of Internet-connected devices while enhancing and protecting consumers’ privacy and security. The report also calls for new legislation to help it crack down on companies that may abuse or fail to protect people’s data.
“The only way for the Internet of Things to reach its full potential for innovation is with the trust of American consumers,” said FTC Chairwoman Edith Ramirez in a statement posted on the agency’s web site. “We believe that by adopting the best practices we’ve laid out, businesses will be better able to provide consumers the protections they want and allow the benefits of the Internet of Things to be fully realized.”
The Internet of Things refers to the ability of everyday objects to become connected to the online world and to send and receive data. While such connected devices have the potential to offer benefits such as improved health monitoring, safer highways, and more efficient home energy use, they also raise numerous consumer privacy and security concerns, according to the FTC report.
Among other things, the report urges companies that develop devices for the Internet of Things to build security into those devices from the outset, train employees about the importance of security, ensure that outside service providers are capable of maintaining reasonable security, use multiple layers of security to defend against a particular risk, and monitor connected devices throughout their expected life cycle.
While the report did not urge legislation to regulate the Internet of Things specifically, it reaffirmed the commission's support for general data security breach legislation. It also renewed a call for Congress to pass a broad-based privacy bill. In May 2012, the FTC issued a report on the need for baseline federal privacy legislation that provides clear standards and appropriate incentives to ensure basic privacy protections across all industry sectors.
Absent congressional action, the FTC said that developers should focus on minimizing the amount of data they collect, be clear about what they are using it for, and then take steps to safeguard it. A best practices report released on January 21 by the Online Trust Alliance analyzed about 1,000 data breaches in the first part of 2014 and concluded that more than 90% of the breaches were avoidable if companies had used password management and encrypted passwords.