The Internet of Things:

Best Practices for Privacy, Data Security,

and IP Protection

Morris, Manning & Martin, LLP

Benjamin J. Warlick404.504.5419

bwarlick@mmmlaw.com@BenJWarlick

Bryan D. Stewart404.504.5421

bstewart@mmmlaw.com@bdstewart3

2

The World of IoT…

• IoT = Internet-connected “smart” and autonomous objects

• Recent forecast by Gartner:• 6.4 billion “things” in 2016; 20.8 by 2020

• Today’s Agenda• IoT challenges• Legal/Regulatory background • Industry guidelines• IP protection• Best practices

3

IoT Challenges

Security Challenges:• Limited computing power• Limited battery power• Limited bandwidth Privacy Challenges:

• Limited user interface for notice and consent

• Collection of behavioral patterns may be highly sensitive

IP Challenges:• Systems may include many

“light-weight” sensors• Software patentability

issues

4

2011 reports on Fitbitsecurity lapses

• User profiles public• No encryption or

authentication• Transmission of login

credentials in plaintext

Some recent IoT security failures:• Stuxnet attack on Iranian centrifuges• Iranian attack on New York dam• Damage to German blast furnace

Security and Privacy – Why Worry?

5

IoT Class Action Litigation

• Mattel - Hello Barbie• Although parent must consent to activate

Hello Barbie, the plaintiffs allege that otherchildren are exposed

• ADT – home/business security systems• Allege that security systems are marketed as safe and

reliable, but wireless signals between sensors andcontrol system are unencrypted and unauthenticated

• Vizio – smart TVs• Allege Vizio smart TVs record viewers IP addresses

and viewing data, including what users are watchingand when; sends to third parties to customize ads

6

FTC Enforcement ActionTRENDnet

• First enforcement action involving an Internet-connected device

• FTC allegations:• Transmit of user login credentials in clear text over Internet• Store login credentials in clear text on user mobile devices• Failed to test that video feeds marked as

private would in fact be private

• Hackers were able to access live feeds

7

Regulatory/Legal Background

• In the United States there is no general privacy or security statute

• Primary sources of government authority:• Federal laws: Health Insurance Portability and Accountability Act

(HIPAA), Fair Credit Reporting Act (FCRA), CAN-SPAM, Children’s Online Privacy Protection Act (COPPA), Electronic Communications Privacy Act (ECPA), Computer Fraud and Abuse Act (CFAA)

• State privacy and data breach notification laws• Federal and state agency regulations and guidelines

• Industry guidance

8

Federal Statutes and Agencies

HIPAA: Covered health care entities must implement safeguards to protect individually identifiable health information.

Children’s Online Privacy Protection Act (COPPA): Key requirements for commercial website or online service providers targeting children under 13: Before collecting personal information of children, must provide notice to the child’s parent and obtain consent from the parent.

Federal Trade Commission Act (FTC): FTC may initiate enforcement actions against companies for alleged “unfair or deceptive acts or practices in or affecting commerce . . .”

Food & Drug Administration (FDA): recently issued draft guidance on cybersecurity for approved Internet-connected medical devices.

9

FTC Staff Report on the IoTPrivacy

Data minimization• limit data collected and retained, and dispose of data once it is no longer

needed

Notice and choice• Choice is not required before collecting and using consumer data for

practices that are consistent with the context of a transaction or the company’s relationship with the consumer

• To provide notice and request consent, FTC suggests developing video tutorials, affixing QR codes on devices, and providing choices at point of sale, within set-up wizards, or in a privacy dashboard

10

FTC Staff Report on the IoTSecurity

1. Build security into devices at the outset, rather than as an afterthought2. Train all employees about good security, and ensure that security issues

are addressed at the appropriate level of responsibility within the organization

3. Retain service providers that are capable of maintaining reasonable security and provide reasonable oversight for these service providers

4. When significant risks are identified, implement a defense-in-depth approach, in which security measures are considered at several levels

5. Implement reasonable access control measures to limit the ability of an unauthorized person to access a consumer’s device, data, or even the consumer’s network

6. Monitor products throughout the life cycle and, to the extent feasible, patch known vulnerabilities

11

IoT - Industry Guidelines

• NIST Cybersecurity Framework

• Online Trust Alliance (OTA) - IoT Trust Framework• Commitment to comply with relevant regulatory requirements• Identifies a set of 30 minimum security and privacy requirements and

recommendations

• WearFit – IEEE Center for Secure Design• Envisions a fictional wearable fitness tracking system• Walks through 10 potential security flaws and how to avoid them

12

Privacy Policy

• A privacy policy statement explains how a business collects, uses, shares, and manages personal information

• Required by CalOPPA, HIPAA• Risk of enforcement action if business fails to comply with its

privacy policy• Include COPPA notice• Do not promise what you cannot deliver (e.g., if you say you

will not sell data to third parties, you must comply with your own statements)

13

Intellectual Property Challenges with IoT

• First to file patent regime (race to the patent office)

• Systems may include many “light-weight” sensors (potentially difficult to patent if “off the shelf components”)

• Software patentability issues (potentially difficult to protect data collection)

• Potential disclosure issues (trade secret verses patent)

• Standards and FRAND

14

IP Protection

Copyright – Protects original works of authorship (software)

Trademark – Protects brands or product names

Trade Secret – Protects information that is not generally known, and has economic value because it is not generally known – prevent security risks?

Patent – Protects“inventions” in the formof processes, machines,compositions of matter,and articles of manufacture, but requires public disclosure

15

Why Does IP Matter?

• IP should be a part of overall business strategy (even if the strategy is not to seek IP Protection)

• Add value to company• Protection• Competitive advantage (barrier to entry)• Administrative efficiencies• Discrete properties that can be bought,

sold, and traded

• IoT has been topping the charts in M&A activity• Last year Jawbone launched a patent war

against Fitbit (alleged patent infringement and theft of trade secrets)

16

IP Protection

Patent Infringement: make, use, offer to sell (or sell), or import what is described in the patent claims.

How do you protect a hub and sensor system, if some parts maybe sold by separate parties:

HUB

SENSOR

SENSOR

SENSOR

17

IP Protection

OPTION 1: Draft claims around hub.

HUB

SENSOR

SENSOR

SENSOR

18

IP Protection

OPTION 2: Draft claims around a sensor.

HUB

SENSOR

SENSOR

SENSOR

19

IP Protection

OPTION 3: Draft claims around more than one sensor.

HUB

SENSOR

SENSOR

SENSOR

20

IP Protection

OPTION 4: Draft claims around hub, sensor, combination of hub and sensor, and how signals processed (separate claim sets –more robust / “patent thicket” protection).

HUB

SENSOR

SENSOR

SENSOR

21

Summary of Best Practices

• Be compliant with federal and state regulatory requirements• Prioritize security and privacy by design; be familiar with

industry practice• Limit data collected and retained• Allow consumers notice and choice in how their data is

collected, used, and shared • Be proactive in identifying security risks throughout the

product lifecycle• Consider IP early as part of the overall business strategy

22

Thank You!

Benjamin J. WarlickMorris, Manning & Martin, LLP1600 Atlanta Financial Center3343 Peachtree Road, NEAtlanta, Georgia 30326Direct: 404.504.5419bwarlick@mmmlaw.com

@BenJWarlick

Bryan D. StewartMorris, Manning & Martin, LLP1600 Atlanta Financial Center3343 Peachtree Road, NEAtlanta, Georgia 30326Direct: 404.504.5421bstewart@mmmlaw.com

@bdstewart3

Stay up to date! Join the MMM IoT Group on LinkedIn for our frequent posts on IoT security, privacy, and IP issues.

Disclaimer

The materials and information presented and contained within this document are provided by MMM as general information only, and do not, and are not intended to constitute legal advice.

Any opinions expressed within this document are solely the opinion of the individual author(s) and may not reflect the opinions of MMM, individual attorneys, or personnel, or the opinions of MMM clients.

The materials and information are for the sole use of their recipient and should not be distributed or repurposed without the approval of the individual author(s) and Morris, Manning & Martin LLP.

This document is Copyright ©2016 Morris, Manning & Martin, LLP. All rights reserved worldwide.