Data Privacy and Security in the Age of IoT(Internet of Things) - - PowerPoint PPT Presentation

Data Privacy and Security in the Age of IoT(Internet of Things)

What is IoT? (The Internet of Things)

IoT is a Concept, Not a List of Devices

▪ IoT is the concept of connecting any device with an on

and off switch to the Internet (and/or to each other).

▪ This includes everything from cellphones, coffee

makers, washing machines, headphones, lamps, wearable devices and almost anything else you can think of. This also applies to components of machines, for example a jet engine of an airplane, the drill of an

• il rig or a medical device like a pacemaker.

How Many Devices?

What is the Future of IoT?

This Photo by Unknown Author is licensed under CC BY

RFID Chips in Your Hand?

▪ https://www.cnet.com/videos/employee-microchips-

are-being-implanted-into-workers/

Who Regulates?

▪ Legislation and Regulation

▪ International Law – GDPR ▪ Federal – FDA (medical devices), FTC (consumer devices) ▪ State ▪ Local

▪ Non-Governmental Entities

▪ Insurers – underwriting ▪ Plaintiffs – In the case of a data breach, for example ▪ Standards Agencies ▪ Trade Groups

General Data Protection Regulation

GDPR Basics

Article 5 of the GDPR sets out seven key principles which lie at the heart of the general data protection regime. Article 5(1) requires that personal data shall be:

“(a) processed lawfully, fairly and in a transparent manner in relation to individuals (‘lawfulness, fairness and transparency’); (b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes (‘purpose limitation’);

GDPR Basics Cont’d

▪

(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);

▪

(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);

▪

(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in

• rder to safeguard the rights and freedoms of individuals (‘storage limitation’);

▪

(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or

• rganisational measures (‘integrity and confidentiality’).”

Does the GDPR Apply to Your Company?

▪ “It’s important to note that [the GDPR] is applicable to

• rganizations even where the processing of personal data takes

place outside of the EU. Due to that international reach, one cannot simply avoid GDPR obligations because they are outside the jurisdiction of the EU.” https://iapp.org/news/a/what-does- territorial-scope-mean-under-the-gdpr/

▪ Organizations may demonstrate "intention of offering goods and

services" to EU citizens under the following circumstances: ▪ The organization provides the option to interact with the website

in the native language and currency of an EU Member State; and/or

▪ The organization advertises its customers or users (i.e.

testimonials) that are in based in the union with the goal of appealing to other users in the same locality.

According to the Court of Justice of the EU, “Intention” of Offering Products to EU Citizens can be demonstrated by:

“Patent” evidence, such as the payment of money to a search engine to facilitate access by those within a member state or where targeted member states are designated by name; Other factors — possibly in combination with each other — including the “international nature” of the relevant activity (e.g. certain tourist activities), mentions of telephone numbers with an international code, use of a top-level domain name other than that of the state in which the trader is established (such as .de or .eu), the description of “itineraries ... from member states to the place where the service is provided,” and mentions of an “international clientele composed of customers domiciled in various member states.”

If You Collect Data

• n an EU Citizen,

This Means You!

The California Consumer Protection Act – GDPR Lite

Key Provisions

• f the CCPA

▪ The CCPA gives “consumers” (defined as natural persons

who are California residents) four basic rights in relation to their personal information:

▪ the right to know, through a general privacy policy and with

more specifics available upon request, what personal information a business has collected about them, where it was sourced from, what it is being used for, whether it is being disclosed or sold, and to whom it is being disclosed or sold;

▪ the right to “opt out” of allowing a business to sell their

personal information to third parties (or, for consumers who are under 16 years old, the right not to have their personal information sold absent their, or their parent’s, opt-in);

▪ the right to have a business delete their personal information,

with some exceptions; and

▪ the right to receive equal service and pricing from a

business, even if they exercise their privacy rights under the Act.

▪ Effective January 1, 2020.

When Does the CCPA Apply?

▪ The CCPA applies to any company doing business or

with employees in California if they:

▪ generate $25 million or more a year in revenue; ▪ annually buy, receive, sell, or share personal

information of 50,000 or more consumers,

▪ households, or devices for commercial purposes; or ▪ derive 50% or more of their annual revenue from

selling consumer personal information.

CCPA Penalties:

▪ penalize non-compliant organizations through

administrative fines upon the expiration of a 30 day notice of violation and opportunity to correct. These fines may not exceed $2,500 per violation or $7,500 for intentional violations.

▪ https://www.jdsupra.com/legalnews/the-california-

consumer-privacy-act-of-32632/ 3/6

State Laws

▪ All 50 states, the District of Columbia, Guam, Puerto

Rico and the Virgin Islands have enacted legislation requiring private or governmental entities to notify individuals of security breaches of information involving personally identifiable information.

▪ http://www.ncsl.org/research/telecommunications-

and-information-technology/security-breach- notification-laws.aspx

California Enacts First IoTData Privacy Law

▪ Beginning January 1, 2020, California state law will require

manufacturers of IoT devices to equip such devices with “reasonable” security features thatprotect the device and any information it contains from unauthorized access, destruction, use, modification, or disclosure.

▪ The new law specifically notes that if a connected device is

equipped with a means for authentication outside a local area network, reasonable features would include: ▪ assigning unique preprogrammed passwords, and ▪ security features that require a user to generate a new means

• f authentication before access is granted to the device for

the first time.

The Data Care Act of 2018

Data Care Act of 2018

▪

Personal data under the bill includes: ▪

Social Security number,

▪

Driver’s license number,

▪

Passport or military identification number

▪

Financial account number, credit or debit card number with the access code or password necessary to permit access to the financial account

▪

Unique biometric data, including a fingerprint, voice print, retina image or other unique physical representation

▪

Account information such as user name and password or email address and password

▪

First and last name of an individual or first initial and last name, in combination with data of birth.

▪

Committee on Banking, Housing, and Urban Affairs currently holding hearings

▪

Purports to Preempt State Laws like the CCPA.

The Data Care Act of 2018

▪ S.3744 – Data Care Act of 2018 – A Bill “To establish

duties for online service providers with respect to end user data that such providers collect and use.”

▪ Imposes a “Duty of Care, Loyalty, and Confidentiality” to

secure individual identifying data from unauthorized access and inform the end user of any such breach of duty.

▪ Read twice and referred to the Committee on

Commerce, Science, and Transportation on 12/12/2018.

Penalties for Violation of The Data Care Act

▪ An online service provider that is found, in an action brought

under paragraph (1), to have knowingly or repeatedly violated section 3 shall, in addition to any other penalty otherwise applicable to a violation of section 3, be liable for a civil penalty equal to the amount calculated by multiplying—

▪ (A) the greater of—

▪ (i) the number of days during which the online service provider

was not in compliance with that section; or

▪ (ii) the number of end users who were harmed as a result of the

violation; by

▪ (B) an amount not to exceed the maximum civil penalty for which a

person, partnership, or corporation may be liable under section 5(m)(1)(A) of the Federal Trade Commission Act (15 U.S.C. 45(m)(1)(A)) (including any adjustments for inflation).

Why Are IoT Devices Important to Lawyers?

▪ In 2012, the ABA added Comment 8 to Rule 1.1 (Competence) of

the Model Rules of Professional Conduct.

▪ [8] To maintain the requisite knowledge and skill, a lawyer should

keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and education and comply with all continuing legal education requirements to which the lawyer is subject.

▪ Note: The ABA Standing Committee on Ethics and Professional

Responsibility issued a revision to Formal Opinion 477R as of May 22, 2017 and noted the unencrypted use of routine email is still acceptable, but…it may not always be “reasonable” to rely on electronic communications through certain mobile applications, on message boards, or on UNSECURED network connections. Formal Opinion 477R at pg. 5.

Ethics - The Bottom Line

As a lawyer, you now have an ethical obligation to keep up to date on any available evidence that can help or hurt your case. You also have a legal and ethical obligation not to break the law while investigating your client’s case.

Panel Discussion

• n Practical

Implications of Data Privacy Laws

Data Privacy Compliance – Spicer Policy