SlideShare a Scribd company logo

IoT PPT Deck

J
John Yates

The document discusses best practices for privacy, data security, and IP protection for Internet of Things devices. It summarizes challenges like limited computing power, privacy concerns from data collection, and intellectual property issues. It then outlines regulatory background, industry guidelines, and recommendations including prioritizing security and privacy by design, limiting data collection and retention, providing notice and choice to consumers, and considering intellectual property protection early.

1 of 23
Downloaded 13 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
The Internet of Things: Best Practices for Privacy, Data Security, and IP Protection Morris, Manning & Martin, LLP Benjamin J. Warlick 404.504.5419 bwarlick@mmmlaw.com @BenJWarlick Bryan D. Stewart 404.504.5421 bstewart@mmmlaw.com @bdstewart3
2 The World of IoT… • IoT = Internet-connected “smart” and autonomous objects • Recent forecast by Gartner: • 6.4 billion “things” in 2016; 20.8 by 2020 • Today’s Agenda • IoT challenges • Legal/Regulatory background • Industry guidelines • IP protection • Best practices
3 IoT Challenges Security Challenges: • Limited computing power • Limited battery power • Limited bandwidth Privacy Challenges: • Limited user interface for notice and consent • Collection of behavioral patterns may be highly sensitive IP Challenges: • Systems may include many “light-weight” sensors • Software patentability issues
4 2011 reports on Fitbit security lapses • User profiles public • No encryption or authentication • Transmission of login credentials in plaintext Some recent IoT security failures: • Stuxnet attack on Iranian centrifuges • Iranian attack on New York dam • Damage to German blast furnace Security and Privacy – Why Worry?
5 IoT Class Action Litigation • Mattel - Hello Barbie • Although parent must consent to activate Hello Barbie, the plaintiffs allege that other children are exposed • ADT – home/business security systems • Allege that security systems are marketed as safe and reliable, but wireless signals between sensors and control system are unencrypted and unauthenticated • Vizio – smart TVs • Allege Vizio smart TVs record viewers IP addresses and viewing data, including what users are watching and when; sends to third parties to customize ads
6 FTC Enforcement Action TRENDnet • First enforcement action involving an Internet-connected device • FTC allegations: • Transmit of user login credentials in clear text over Internet • Store login credentials in clear text on user mobile devices • Failed to test that video feeds marked as private would in fact be private • Hackers were able to access live feeds
7 Regulatory/Legal Background • In the United States there is no general privacy or security statute • Primary sources of government authority: • Federal laws: Health Insurance Portability and Accountability Act (HIPAA), Fair Credit Reporting Act (FCRA), CAN-SPAM, Children’s Online Privacy Protection Act (COPPA), Electronic Communications Privacy Act (ECPA), Computer Fraud and Abuse Act (CFAA) • State privacy and data breach notification laws • Federal and state agency regulations and guidelines • Industry guidance
8 Federal Statutes and Agencies HIPAA: Covered health care entities must implement safeguards to protect individually identifiable health information. Children’s Online Privacy Protection Act (COPPA): Key requirements for commercial website or online service providers targeting children under 13: Before collecting personal information of children, must provide notice to the child’s parent and obtain consent from the parent. Federal Trade Commission Act (FTC): FTC may initiate enforcement actions against companies for alleged “unfair or deceptive acts or practices in or affecting commerce . . .” Food & Drug Administration (FDA): recently issued draft guidance on cybersecurity for approved Internet-connected medical devices.
9 FTC Staff Report on the IoT Privacy Data minimization • limit data collected and retained, and dispose of data once it is no longer needed Notice and choice • Choice is not required before collecting and using consumer data for practices that are consistent with the context of a transaction or the company’s relationship with the consumer • To provide notice and request consent, FTC suggests developing video tutorials, affixing QR codes on devices, and providing choices at point of sale, within set-up wizards, or in a privacy dashboard
10 FTC Staff Report on the IoT Security 1. Build security into devices at the outset, rather than as an afterthought 2. Train all employees about good security, and ensure that security issues are addressed at the appropriate level of responsibility within the organization 3. Retain service providers that are capable of maintaining reasonable security and provide reasonable oversight for these service providers 4. When significant risks are identified, implement a defense-in-depth approach, in which security measures are considered at several levels 5. Implement reasonable access control measures to limit the ability of an unauthorized person to access a consumer’s device, data, or even the consumer’s network 6. Monitor products throughout the life cycle and, to the extent feasible, patch known vulnerabilities
11 IoT - Industry Guidelines • NIST Cybersecurity Framework • Online Trust Alliance (OTA) - IoT Trust Framework • Commitment to comply with relevant regulatory requirements • Identifies a set of 30 minimum security and privacy requirements and recommendations • WearFit – IEEE Center for Secure Design • Envisions a fictional wearable fitness tracking system • Walks through 10 potential security flaws and how to avoid them
12 Privacy Policy • A privacy policy statement explains how a business collects, uses, shares, and manages personal information • Required by CalOPPA, HIPAA • Risk of enforcement action if business fails to comply with its privacy policy • Include COPPA notice • Do not promise what you cannot deliver (e.g., if you say you will not sell data to third parties, you must comply with your own statements)
13 Intellectual Property Challenges with IoT • First to file patent regime (race to the patent office) • Systems may include many “light-weight” sensors (potentially difficult to patent if “off the shelf components”) • Software patentability issues (potentially difficult to protect data collection) • Potential disclosure issues (trade secret verses patent) • Standards and FRAND
14 IP Protection Copyright – Protects original works of authorship (software) Trademark – Protects brands or product names Trade Secret – Protects information that is not generally known, and has economic value because it is not generally known – prevent security risks? Patent – Protects “inventions” in the form of processes, machines, compositions of matter, and articles of manufacture, but requires public disclosure
15 Why Does IP Matter? • IP should be a part of overall business strategy (even if the strategy is not to seek IP Protection) • Add value to company • Protection • Competitive advantage (barrier to entry) • Administrative efficiencies • Discrete properties that can be bought, sold, and traded • IoT has been topping the charts in M&A activity • Last year Jawbone launched a patent war against Fitbit (alleged patent infringement and theft of trade secrets)
16 IP Protection Patent Infringement: make, use, offer to sell (or sell), or import what is described in the patent claims. How do you protect a hub and sensor system, if some parts may be sold by separate parties: HUB SENSOR SENSOR SENSOR
17 IP Protection OPTION 1: Draft claims around hub. HUB SENSOR SENSOR SENSOR
18 IP Protection OPTION 2: Draft claims around a sensor. HUB SENSOR SENSOR SENSOR
19 IP Protection OPTION 3: Draft claims around more than one sensor. HUB SENSOR SENSOR SENSOR
20 IP Protection OPTION 4: Draft claims around hub, sensor, combination of hub and sensor, and how signals processed (separate claim sets – more robust / “patent thicket” protection). HUB SENSOR SENSOR SENSOR
21 Summary of Best Practices • Be compliant with federal and state regulatory requirements • Prioritize security and privacy by design; be familiar with industry practice • Limit data collected and retained • Allow consumers notice and choice in how their data is collected, used, and shared • Be proactive in identifying security risks throughout the product lifecycle • Consider IP early as part of the overall business strategy
22 Thank You! Benjamin J. Warlick Morris, Manning & Martin, LLP 1600 Atlanta Financial Center 3343 Peachtree Road, NE Atlanta, Georgia 30326 Direct: 404.504.5419 bwarlick@mmmlaw.com @BenJWarlick Bryan D. Stewart Morris, Manning & Martin, LLP 1600 Atlanta Financial Center 3343 Peachtree Road, NE Atlanta, Georgia 30326 Direct: 404.504.5421 bstewart@mmmlaw.com @bdstewart3 Stay up to date! Join the MMM IoT Group on LinkedIn for our frequent posts on IoT security, privacy, and IP issues.
Disclaimer The materials and information presented and contained within this document are provided by MMM as general information only, and do not, and are not intended to constitute legal advice. Any opinions expressed within this document are solely the opinion of the individual author(s) and may not reflect the opinions of MMM, individual attorneys, or personnel, or the opinions of MMM clients. The materials and information are for the sole use of their recipient and should not be distributed or repurposed without the approval of the individual author(s) and Morris, Manning & Martin LLP. This document is Copyright ©2016 Morris, Manning & Martin, LLP. All rights reserved worldwide.

More Related Content

PDF
Byod security
Denise Bailey
 
PPTX
Cybersecurity in the Era of IoT
Amy Daly
 
PDF
Mobile security blunders and what you can do about them
Ben Rothke
 
PPTX
Ravi i ot-security
skumartarget
 
PDF
Information security and research data
Tomppa Kuusi (formerly Järvinen)
 
PDF
Dr Dev Kambhampati | Strategic Principles for Securing the Internet of Things...
Dr Dev Kambhampati
 
PPTX
Information Security
steffiann88
 
PDF
How to safe your company from having a security breach
Baltimax
 
Byod security
Denise Bailey
 
Cybersecurity in the Era of IoT
Amy Daly
 
Mobile security blunders and what you can do about them
Ben Rothke
 
Ravi i ot-security
skumartarget
 
Information security and research data
Tomppa Kuusi (formerly Järvinen)
 
Dr Dev Kambhampati | Strategic Principles for Securing the Internet of Things...
Dr Dev Kambhampati
 
Information Security
steffiann88
 
How to safe your company from having a security breach
Baltimax
 

What's hot (20)

PDF
Your organization is at risk! Upgrade your IT security & IT governance now.
Cyril Soeri
 
PDF
ISACA - China Cybersecurity Law Presentation - Kyle Lai - v3.2
Kyle Lai
 
PPT
Ethics and information security 2
PT Bank Syariah Mandiri
 
PPTX
Privacy by design for peerlyst meetup
Ishay Tentser
 
PDF
Security, Privacy Data Protection and Perspectives to Counter Cybercrime 0409...
Gohsuke Takama
 
PPTX
DocomUSA Cyber Security
docomusa
 
PDF
Security and Compliance
Bankingdotcom
 
PPTX
BYOD - Bringing Technology to work | Sending Data Everywhere
Jim Brashear
 
PDF
needforsecurity
David Joao Vieira Carvalho
 
PDF
SPEEDA INSIGHTS_Market Prospects for the Security Industry
Kyna Tsai
 
PDF
Spotlight on Technology 2017
Craig Devlin
 
PPT
Policies and Law in IT
Anushka Perera
 
PPTX
IT compliance
Phan Vuong
 
PPT
Maloney Slides
ecommerce
 
PPTX
Cybersecurity-Real World Approach FINAL 2-24-16
James Rutt
 
PDF
Using international standards to improve US cybersecurity
IT Governance Ltd
 
PPTX
Training privacy by design
Tommy Vandepitte
 
PPTX
Insider Threat Experiences
Napier University
 
PPTX
Law seminars intl cybersecurity in the power industry
Kevin Murphy
 
PPT
S719a
ecommerce
 
Your organization is at risk! Upgrade your IT security & IT governance now.
Cyril Soeri
 
ISACA - China Cybersecurity Law Presentation - Kyle Lai - v3.2
Kyle Lai
 
Ethics and information security 2
PT Bank Syariah Mandiri
 
Privacy by design for peerlyst meetup
Ishay Tentser
 
Security, Privacy Data Protection and Perspectives to Counter Cybercrime 0409...
Gohsuke Takama
 
DocomUSA Cyber Security
docomusa
 
Security and Compliance
Bankingdotcom
 
BYOD - Bringing Technology to work | Sending Data Everywhere
Jim Brashear
 
needforsecurity
David Joao Vieira Carvalho
 
SPEEDA INSIGHTS_Market Prospects for the Security Industry
Kyna Tsai
 
Spotlight on Technology 2017
Craig Devlin
 
Policies and Law in IT
Anushka Perera
 
IT compliance
Phan Vuong
 
Maloney Slides
ecommerce
 
Cybersecurity-Real World Approach FINAL 2-24-16
James Rutt
 
Using international standards to improve US cybersecurity
IT Governance Ltd
 
Training privacy by design
Tommy Vandepitte
 
Insider Threat Experiences
Napier University
 
Law seminars intl cybersecurity in the power industry
Kevin Murphy
 
S719a
ecommerce
 
Ad

Similar to IoT PPT Deck (20)

PPTX
Mobile Devices and Internet of Things
Paul Hastings
 
PPTX
IoT security presented in Ada's List Conference
Cigdem Sengul
 
PDF
Towards a Responsible Internet of Things
Jeff Katz
 
PDF
Internet of Things (IoT) Security and Privacy Recommendations by Jason Living...
CableLabs
 
PPTX
IoT -Internet of Things
Joshua Johnston
 
PDF
Technology & Policy Interaction Panel at Inform[ED] IoT Security
CableLabs
 
DOCX
Security and Privacy considerations in Internet of Things
Somasundaram Jambunathan
 
PPTX
How digital technology is shaping the future of marthab
Argelich Networks
 
PPTX
An American Legal Perspective
Agustin Argelich Casals
 
PDF
Simon Harrison RWE - Chain of Things 010616 final
Simon Harrison
 
PDF
IoT security and privacy: main challenges and how ISOC-OTA address them
Radouane Mrabet
 
PPTX
Regulation and the Internet of Things
blogzilla
 
PDF
Ryan Wilson - ryanwilson.com - IoT Security
Ryan Wilson
 
PPTX
How Can Policymakers and Regulators Better Engage the Internet of Things?
Mercatus Center
 
PPTX
Internet of Things & Wearable Technology: Unlocking the Next Wave of Data-Dri...
Adam Thierer
 
PPTX
Chapter 6 - IT Culture and the Society - Lesson 1.pptx
DondonGoles
 
PPTX
IoT_Implemented
Brandon Walston
 
PDF
[TestWarez 2017] Securing the Internet of Things
Stowarzyszenie Jakości Systemów Informatycznych (SJSI)
 
PDF
IoT Security and Privacy Concerns: Safeguarding Your Connected Devices
GrapesTech Solutions
 
PDF
WSO2Con EU 2015: Keynote - The Identity of Things: The Next Internet Challenge
WSO2
 
Mobile Devices and Internet of Things
Paul Hastings
 
IoT security presented in Ada's List Conference
Cigdem Sengul
 
Towards a Responsible Internet of Things
Jeff Katz
 
Internet of Things (IoT) Security and Privacy Recommendations by Jason Living...
CableLabs
 
IoT -Internet of Things
Joshua Johnston
 
Technology & Policy Interaction Panel at Inform[ED] IoT Security
CableLabs
 
Security and Privacy considerations in Internet of Things
Somasundaram Jambunathan
 
How digital technology is shaping the future of marthab
Argelich Networks
 
An American Legal Perspective
Agustin Argelich Casals
 
Simon Harrison RWE - Chain of Things 010616 final
Simon Harrison
 
IoT security and privacy: main challenges and how ISOC-OTA address them
Radouane Mrabet
 
Regulation and the Internet of Things
blogzilla
 
Ryan Wilson - ryanwilson.com - IoT Security
Ryan Wilson
 
How Can Policymakers and Regulators Better Engage the Internet of Things?
Mercatus Center
 
Internet of Things & Wearable Technology: Unlocking the Next Wave of Data-Dri...
Adam Thierer
 
Chapter 6 - IT Culture and the Society - Lesson 1.pptx
DondonGoles
 
IoT_Implemented
Brandon Walston
 
[TestWarez 2017] Securing the Internet of Things
Stowarzyszenie Jakości Systemów Informatycznych (SJSI)
 
IoT Security and Privacy Concerns: Safeguarding Your Connected Devices
GrapesTech Solutions
 
WSO2Con EU 2015: Keynote - The Identity of Things: The Next Internet Challenge
WSO2
 
Ad

IoT PPT Deck

  • 1. The Internet of Things: Best Practices for Privacy, Data Security, and IP Protection Morris, Manning & Martin, LLP Benjamin J. Warlick 404.504.5419 bwarlick@mmmlaw.com @BenJWarlick Bryan D. Stewart 404.504.5421 bstewart@mmmlaw.com @bdstewart3
  • 2. 2 The World of IoT… • IoT = Internet-connected “smart” and autonomous objects • Recent forecast by Gartner: • 6.4 billion “things” in 2016; 20.8 by 2020 • Today’s Agenda • IoT challenges • Legal/Regulatory background • Industry guidelines • IP protection • Best practices
  • 3. 3 IoT Challenges Security Challenges: • Limited computing power • Limited battery power • Limited bandwidth Privacy Challenges: • Limited user interface for notice and consent • Collection of behavioral patterns may be highly sensitive IP Challenges: • Systems may include many “light-weight” sensors • Software patentability issues
  • 4. 4 2011 reports on Fitbit security lapses • User profiles public • No encryption or authentication • Transmission of login credentials in plaintext Some recent IoT security failures: • Stuxnet attack on Iranian centrifuges • Iranian attack on New York dam • Damage to German blast furnace Security and Privacy – Why Worry?
  • 5. 5 IoT Class Action Litigation • Mattel - Hello Barbie • Although parent must consent to activate Hello Barbie, the plaintiffs allege that other children are exposed • ADT – home/business security systems • Allege that security systems are marketed as safe and reliable, but wireless signals between sensors and control system are unencrypted and unauthenticated • Vizio – smart TVs • Allege Vizio smart TVs record viewers IP addresses and viewing data, including what users are watching and when; sends to third parties to customize ads
  • 6. 6 FTC Enforcement Action TRENDnet • First enforcement action involving an Internet-connected device • FTC allegations: • Transmit of user login credentials in clear text over Internet • Store login credentials in clear text on user mobile devices • Failed to test that video feeds marked as private would in fact be private • Hackers were able to access live feeds
  • 7. 7 Regulatory/Legal Background • In the United States there is no general privacy or security statute • Primary sources of government authority: • Federal laws: Health Insurance Portability and Accountability Act (HIPAA), Fair Credit Reporting Act (FCRA), CAN-SPAM, Children’s Online Privacy Protection Act (COPPA), Electronic Communications Privacy Act (ECPA), Computer Fraud and Abuse Act (CFAA) • State privacy and data breach notification laws • Federal and state agency regulations and guidelines • Industry guidance
  • 8. 8 Federal Statutes and Agencies HIPAA: Covered health care entities must implement safeguards to protect individually identifiable health information. Children’s Online Privacy Protection Act (COPPA): Key requirements for commercial website or online service providers targeting children under 13: Before collecting personal information of children, must provide notice to the child’s parent and obtain consent from the parent. Federal Trade Commission Act (FTC): FTC may initiate enforcement actions against companies for alleged “unfair or deceptive acts or practices in or affecting commerce . . .” Food & Drug Administration (FDA): recently issued draft guidance on cybersecurity for approved Internet-connected medical devices.
  • 9. 9 FTC Staff Report on the IoT Privacy Data minimization • limit data collected and retained, and dispose of data once it is no longer needed Notice and choice • Choice is not required before collecting and using consumer data for practices that are consistent with the context of a transaction or the company’s relationship with the consumer • To provide notice and request consent, FTC suggests developing video tutorials, affixing QR codes on devices, and providing choices at point of sale, within set-up wizards, or in a privacy dashboard
  • 10. 10 FTC Staff Report on the IoT Security 1. Build security into devices at the outset, rather than as an afterthought 2. Train all employees about good security, and ensure that security issues are addressed at the appropriate level of responsibility within the organization 3. Retain service providers that are capable of maintaining reasonable security and provide reasonable oversight for these service providers 4. When significant risks are identified, implement a defense-in-depth approach, in which security measures are considered at several levels 5. Implement reasonable access control measures to limit the ability of an unauthorized person to access a consumer’s device, data, or even the consumer’s network 6. Monitor products throughout the life cycle and, to the extent feasible, patch known vulnerabilities
  • 11. 11 IoT - Industry Guidelines • NIST Cybersecurity Framework • Online Trust Alliance (OTA) - IoT Trust Framework • Commitment to comply with relevant regulatory requirements • Identifies a set of 30 minimum security and privacy requirements and recommendations • WearFit – IEEE Center for Secure Design • Envisions a fictional wearable fitness tracking system • Walks through 10 potential security flaws and how to avoid them
  • 12. 12 Privacy Policy • A privacy policy statement explains how a business collects, uses, shares, and manages personal information • Required by CalOPPA, HIPAA • Risk of enforcement action if business fails to comply with its privacy policy • Include COPPA notice • Do not promise what you cannot deliver (e.g., if you say you will not sell data to third parties, you must comply with your own statements)
  • 13. 13 Intellectual Property Challenges with IoT • First to file patent regime (race to the patent office) • Systems may include many “light-weight” sensors (potentially difficult to patent if “off the shelf components”) • Software patentability issues (potentially difficult to protect data collection) • Potential disclosure issues (trade secret verses patent) • Standards and FRAND
  • 14. 14 IP Protection Copyright – Protects original works of authorship (software) Trademark – Protects brands or product names Trade Secret – Protects information that is not generally known, and has economic value because it is not generally known – prevent security risks? Patent – Protects “inventions” in the form of processes, machines, compositions of matter, and articles of manufacture, but requires public disclosure
  • 15. 15 Why Does IP Matter? • IP should be a part of overall business strategy (even if the strategy is not to seek IP Protection) • Add value to company • Protection • Competitive advantage (barrier to entry) • Administrative efficiencies • Discrete properties that can be bought, sold, and traded • IoT has been topping the charts in M&A activity • Last year Jawbone launched a patent war against Fitbit (alleged patent infringement and theft of trade secrets)
  • 16. 16 IP Protection Patent Infringement: make, use, offer to sell (or sell), or import what is described in the patent claims. How do you protect a hub and sensor system, if some parts may be sold by separate parties: HUB SENSOR SENSOR SENSOR
  • 17. 17 IP Protection OPTION 1: Draft claims around hub. HUB SENSOR SENSOR SENSOR
  • 18. 18 IP Protection OPTION 2: Draft claims around a sensor. HUB SENSOR SENSOR SENSOR
  • 19. 19 IP Protection OPTION 3: Draft claims around more than one sensor. HUB SENSOR SENSOR SENSOR
  • 20. 20 IP Protection OPTION 4: Draft claims around hub, sensor, combination of hub and sensor, and how signals processed (separate claim sets – more robust / “patent thicket” protection). HUB SENSOR SENSOR SENSOR
  • 21. 21 Summary of Best Practices • Be compliant with federal and state regulatory requirements • Prioritize security and privacy by design; be familiar with industry practice • Limit data collected and retained • Allow consumers notice and choice in how their data is collected, used, and shared • Be proactive in identifying security risks throughout the product lifecycle • Consider IP early as part of the overall business strategy
  • 22. 22 Thank You! Benjamin J. Warlick Morris, Manning & Martin, LLP 1600 Atlanta Financial Center 3343 Peachtree Road, NE Atlanta, Georgia 30326 Direct: 404.504.5419 bwarlick@mmmlaw.com @BenJWarlick Bryan D. Stewart Morris, Manning & Martin, LLP 1600 Atlanta Financial Center 3343 Peachtree Road, NE Atlanta, Georgia 30326 Direct: 404.504.5421 bstewart@mmmlaw.com @bdstewart3 Stay up to date! Join the MMM IoT Group on LinkedIn for our frequent posts on IoT security, privacy, and IP issues.
  • 23. Disclaimer The materials and information presented and contained within this document are provided by MMM as general information only, and do not, and are not intended to constitute legal advice. Any opinions expressed within this document are solely the opinion of the individual author(s) and may not reflect the opinions of MMM, individual attorneys, or personnel, or the opinions of MMM clients. The materials and information are for the sole use of their recipient and should not be distributed or repurposed without the approval of the individual author(s) and Morris, Manning & Martin LLP. This document is Copyright ©2016 Morris, Manning & Martin, LLP. All rights reserved worldwide.