iot ppt deck
TRANSCRIPT
The Internet of Things:
Best Practices for Privacy, Data Security,
and IP Protection
Morris, Manning & Martin, LLP
Benjamin J. Warlick404.504.5419
[email protected]@BenJWarlick
Bryan D. Stewart404.504.5421
[email protected]@bdstewart3
2
The World of IoT…
• IoT = Internet-connected “smart” and autonomous objects
• Recent forecast by Gartner:• 6.4 billion “things” in 2016; 20.8 by 2020
• Today’s Agenda• IoT challenges• Legal/Regulatory background • Industry guidelines• IP protection• Best practices
3
IoT Challenges
Security Challenges:• Limited computing power• Limited battery power• Limited bandwidth Privacy Challenges:
• Limited user interface for notice and consent
• Collection of behavioral patterns may be highly sensitive
IP Challenges:• Systems may include many
“light-weight” sensors• Software patentability
issues
4
2011 reports on Fitbitsecurity lapses
• User profiles public• No encryption or
authentication• Transmission of login
credentials in plaintext
Some recent IoT security failures:• Stuxnet attack on Iranian centrifuges• Iranian attack on New York dam• Damage to German blast furnace
Security and Privacy – Why Worry?
5
IoT Class Action Litigation
• Mattel - Hello Barbie• Although parent must consent to activate
Hello Barbie, the plaintiffs allege that otherchildren are exposed
• ADT – home/business security systems• Allege that security systems are marketed as safe and
reliable, but wireless signals between sensors andcontrol system are unencrypted and unauthenticated
• Vizio – smart TVs• Allege Vizio smart TVs record viewers IP addresses
and viewing data, including what users are watchingand when; sends to third parties to customize ads
6
FTC Enforcement ActionTRENDnet
• First enforcement action involving an Internet-connected device
• FTC allegations:• Transmit of user login credentials in clear text over Internet• Store login credentials in clear text on user mobile devices• Failed to test that video feeds marked as
private would in fact be private
• Hackers were able to access live feeds
7
Regulatory/Legal Background
• In the United States there is no general privacy or security statute
• Primary sources of government authority:• Federal laws: Health Insurance Portability and Accountability Act
(HIPAA), Fair Credit Reporting Act (FCRA), CAN-SPAM, Children’s Online Privacy Protection Act (COPPA), Electronic Communications Privacy Act (ECPA), Computer Fraud and Abuse Act (CFAA)
• State privacy and data breach notification laws• Federal and state agency regulations and guidelines
• Industry guidance
8
Federal Statutes and Agencies
HIPAA: Covered health care entities must implement safeguards to protect individually identifiable health information.
Children’s Online Privacy Protection Act (COPPA): Key requirements for commercial website or online service providers targeting children under 13: Before collecting personal information of children, must provide notice to the child’s parent and obtain consent from the parent.
Federal Trade Commission Act (FTC): FTC may initiate enforcement actions against companies for alleged “unfair or deceptive acts or practices in or affecting commerce . . .”
Food & Drug Administration (FDA): recently issued draft guidance on cybersecurity for approved Internet-connected medical devices.
9
FTC Staff Report on the IoTPrivacy
Data minimization• limit data collected and retained, and dispose of data once it is no longer
needed
Notice and choice• Choice is not required before collecting and using consumer data for
practices that are consistent with the context of a transaction or the company’s relationship with the consumer
• To provide notice and request consent, FTC suggests developing video tutorials, affixing QR codes on devices, and providing choices at point of sale, within set-up wizards, or in a privacy dashboard
10
FTC Staff Report on the IoTSecurity
1. Build security into devices at the outset, rather than as an afterthought2. Train all employees about good security, and ensure that security issues
are addressed at the appropriate level of responsibility within the organization
3. Retain service providers that are capable of maintaining reasonable security and provide reasonable oversight for these service providers
4. When significant risks are identified, implement a defense-in-depth approach, in which security measures are considered at several levels
5. Implement reasonable access control measures to limit the ability of an unauthorized person to access a consumer’s device, data, or even the consumer’s network
6. Monitor products throughout the life cycle and, to the extent feasible, patch known vulnerabilities
11
IoT - Industry Guidelines
• NIST Cybersecurity Framework
• Online Trust Alliance (OTA) - IoT Trust Framework• Commitment to comply with relevant regulatory requirements• Identifies a set of 30 minimum security and privacy requirements and
recommendations
• WearFit – IEEE Center for Secure Design• Envisions a fictional wearable fitness tracking system• Walks through 10 potential security flaws and how to avoid them
12
Privacy Policy
• A privacy policy statement explains how a business collects, uses, shares, and manages personal information
• Required by CalOPPA, HIPAA• Risk of enforcement action if business fails to comply with its
privacy policy• Include COPPA notice• Do not promise what you cannot deliver (e.g., if you say you
will not sell data to third parties, you must comply with your own statements)
13
Intellectual Property Challenges with IoT
• First to file patent regime (race to the patent office)
• Systems may include many “light-weight” sensors (potentially difficult to patent if “off the shelf components”)
• Software patentability issues (potentially difficult to protect data collection)
• Potential disclosure issues (trade secret verses patent)
• Standards and FRAND
14
IP Protection
Copyright – Protects original works of authorship (software)
Trademark – Protects brands or product names
Trade Secret – Protects information that is not generally known, and has economic value because it is not generally known – prevent security risks?
Patent – Protects“inventions” in the formof processes, machines,compositions of matter,and articles of manufacture, but requires public disclosure
15
Why Does IP Matter?
• IP should be a part of overall business strategy (even if the strategy is not to seek IP Protection)
• Add value to company• Protection• Competitive advantage (barrier to entry)• Administrative efficiencies• Discrete properties that can be bought,
sold, and traded
• IoT has been topping the charts in M&A activity• Last year Jawbone launched a patent war
against Fitbit (alleged patent infringement and theft of trade secrets)
16
IP Protection
Patent Infringement: make, use, offer to sell (or sell), or import what is described in the patent claims.
How do you protect a hub and sensor system, if some parts maybe sold by separate parties:
HUB
SENSOR
SENSOR
SENSOR
17
IP Protection
OPTION 1: Draft claims around hub.
HUB
SENSOR
SENSOR
SENSOR
18
IP Protection
OPTION 2: Draft claims around a sensor.
HUB
SENSOR
SENSOR
SENSOR
19
IP Protection
OPTION 3: Draft claims around more than one sensor.
HUB
SENSOR
SENSOR
SENSOR
20
IP Protection
OPTION 4: Draft claims around hub, sensor, combination of hub and sensor, and how signals processed (separate claim sets –more robust / “patent thicket” protection).
HUB
SENSOR
SENSOR
SENSOR
21
Summary of Best Practices
• Be compliant with federal and state regulatory requirements• Prioritize security and privacy by design; be familiar with
industry practice• Limit data collected and retained• Allow consumers notice and choice in how their data is
collected, used, and shared • Be proactive in identifying security risks throughout the
product lifecycle• Consider IP early as part of the overall business strategy
22
Thank You!
Benjamin J. WarlickMorris, Manning & Martin, LLP1600 Atlanta Financial Center3343 Peachtree Road, NEAtlanta, Georgia 30326Direct: [email protected]
@BenJWarlick
Bryan D. StewartMorris, Manning & Martin, LLP1600 Atlanta Financial Center3343 Peachtree Road, NEAtlanta, Georgia 30326Direct: [email protected]
@bdstewart3
Stay up to date! Join the MMM IoT Group on LinkedIn for our frequent posts on IoT security, privacy, and IP issues.
Disclaimer
The materials and information presented and contained within this document are provided by MMM as general information only, and do not, and are not intended to constitute legal advice.
Any opinions expressed within this document are solely the opinion of the individual author(s) and may not reflect the opinions of MMM, individual attorneys, or personnel, or the opinions of MMM clients.
The materials and information are for the sole use of their recipient and should not be distributed or repurposed without the approval of the individual author(s) and Morris, Manning & Martin LLP.
This document is Copyright ©2016 Morris, Manning & Martin, LLP. All rights reserved worldwide.