Data Privacy and Security in the Age of IoT(Internet of Things) - PowerPoint PPT Presentation

Data Privacy and Security in the Age of IoT(Internet of Things)

What is IoT? (The Internet of Things)

▪ IoT is the concept of connecting any device with an on and off switch to the Internet (and/or to each other). IoT is a Concept, ▪ This includes everything from cellphones, coffee makers, washing machines, headphones, lamps, Not a List of wearable devices and almost anything else you can Devices think of. This also applies to components of machines, for example a jet engine of an airplane, the drill of an oil rig or a medical device like a pacemaker.

How Many Devices?

What is the Future of IoT? This Photo by Unknown Author is licensed under CC BY

▪ https://www.cnet.com/videos/employee-microchips- RFID Chips in are-being-implanted-into-workers/ Your Hand?

Who Regulates? ▪ Legislation and Regulation ▪ International Law – GDPR ▪ Federal – FDA (medical devices), FTC (consumer devices) ▪ State ▪ Local ▪ Non-Governmental Entities ▪ Insurers – underwriting ▪ Plaintiffs – In the case of a data breach, for example ▪ Standards Agencies ▪ Trade Groups

General Data Protection Regulation

GDPR Basics Article 5 of the GDPR sets out seven key Article 5(1) requires that personal data shall be: principles which lie at the heart of the general data protection regime. “(a) processed lawfully, fairly and in a transparent manner in relation to individuals (‘lawfulness, fairness and transparency’); (b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes (‘purpose limitation’);

GDPR Basics Cont’d ▪ (c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation ’); ▪ (d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’); ▪ (e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals (‘storage limitation’); ▪ (f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).”

▪ “It’s important to note that [the GDPR] is applicable to organizations even where the processing of personal data takes place outside of the EU. Due to that international reach, one cannot simply avoid GDPR obligations because they are outside the jurisdiction of the EU .” https://iapp.org/news/a/what-does- territorial-scope-mean-under-the-gdpr/ Does the GDPR ▪ Organizations may demonstrate "intention of offering goods and Apply to Your services" to EU citizens under the following circumstances: Company? ▪ The organization provides the option to interact with the website in the native language and currency of an EU Member State; and/or ▪ The organization advertises its customers or users (i.e. testimonials) that are in based in the union with the goal of appealing to other users in the same locality.

According to the Court of Justice of the EU, “Intention” of Offering Products to EU Citizens can be demonstrated by: “Patent” evidence, such as the payment of money to a search engine to facilitate access by those within a member state or whe re targeted member states are designated by name; Other factors — possibly in combination with each other — including the “international nature” of the relevant activity (e.g. ce rtain tourist activities), mentions of telephone numbers with an international code, use of a top-level domain name other than that of the state in which the trader is established (such as .de or .eu ), the description of “itineraries ... from member states to the place where the service is provided,” and mentions of an “international clientele composed of customers domiciled in various member states.”

If You Collect Data on an EU Citizen, This Means You!

The California Consumer Protection Act – GDPR Lite

▪ The CCPA gives “consumers” (defined as natural persons who are California residents) four basic rights in relation to their personal information: ▪ the right to know, through a general privacy policy and with more specifics available upon request, what personal information a business has collected about them, where it was sourced from, what it is being used for, whether it is being disclosed or sold, and to whom it is being disclosed or sold; Key Provisions ▪ the right to “opt out” of allowing a business to sell their personal information to third parties (or, for consumers who of the CCPA are under 16 years old, the right not to have their personal information sold absent their, or their parent’s, opt -in); ▪ the right to have a business delete their personal information, with some exceptions; and ▪ the right to receive equal service and pricing from a business, even if they exercise their privacy rights under the Act. ▪ Effective January 1, 2020.

▪ The CCPA applies to any company doing business or with employees in California if they: ▪ generate $25 million or more a year in revenue; When Does the ▪ annually buy, receive, sell, or share personal information of 50,000 or more consumers, CCPA Apply? ▪ households, or devices for commercial purposes; or ▪ derive 50% or more of their annual revenue from selling consumer personal information.

▪ penalize non-compliant organizations through administrative fines upon the expiration of a 30 day notice of violation and opportunity to correct. These fines may not exceed $2,500 per violation or $7,500 for CCPA Penalties: intentional violations. ▪ https://www.jdsupra.com/legalnews/the-california- consumer-privacy-act-of-32632/ 3/6

▪ All 50 states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted legislation requiring private or governmental entities to notify individuals of security breaches of information involving personally identifiable information. State Laws ▪ http://www.ncsl.org/research/telecommunications- and-information-technology/security-breach- notification-laws.aspx

▪ Beginning January 1, 2020, California state law will require manufacturers of IoT devices to equip such devices with “reasonable” security features thatprotect the device and any information it contains from unauthorized access, destruction, use, modification, or disclosure. California Enacts First IoTData ▪ The new law specifically notes that if a connected device is Privacy Law equipped with a means for authentication outside a local area network, reasonable features would include: ▪ assigning unique preprogrammed passwords, and ▪ security features that require a user to generate a new means of authentication before access is granted to the device for the first time.

The Data Care Act of 2018

Data Care Act of ▪ Personal data under the bill includes: 2018 ▪ Social Security number, ▪ Driver’s license number, ▪ Passport or military identification number ▪ Financial account number, credit or debit card number with the access code or password necessary to permit access to the financial account ▪ Unique biometric data, including a fingerprint, voice print, retina image or other unique physical representation ▪ Account information such as user name and password or email address and password ▪ First and last name of an individual or first initial and last name, in combination with data of birth. ▪ Committee on Banking, Housing, and Urban Affairs currently holding hearings ▪ Purports to Preempt State Laws like the CCPA.

▪ S.3744 – Data Care Act of 2018 – A Bill “To establish duties for online service providers with respect to end user data that such providers collect and use .” ▪ Imposes a “Duty of Care, Loyalty, and Confidentiality” to The Data Care secure individual identifying data from unauthorized Act of 2018 access and inform the end user of any such breach of duty. ▪ Read twice and referred to the Committee on Commerce, Science, and Transportation on 12/12/2018.