IoT Security & Privacy is a Clear & Present Priority
As Ayla Networks’ Security and Privacy Officer, I think a lot about data privacy and security issues. Since privacy is very much dependent on security, these issues are very much interrelated and are the subject of today’s discussion.
We are very cognizant that IoT devices may collect personal data. Devices that listen to us or have cameras in our homes are obvious examples. As more companies apply AI and ML processing to the data collected, people get more concerned about their privacy. While we pay attention to privacy laws around the world, this post will mostly focus on US laws related to IoT.
Every state has its own form of data privacy regulation (either in draft or passed by the legislative body). In 2018, California enacted a GDPR-like privacy law, the California Consumer Privacy Act (which will be supplemented with the California Privacy Rights Act). Many privacy laws, particularly the CCPA/CPRA, have agencies tasked with enforcement, so there is a chance that a regulator may contact you if there is an issue. While Ayla is prepared to support our customers’ compliance with these and similar laws, your company needs to assess the requirements itself as it relates to your IoT product.
Privacy laws protect the use of personal information and typically define: 1) what information is ‘personal’, and 2) if there is a personal data breach, who needs to be notified and by when? One of the trends that we see is that what is deemed ‘personal’ under various laws has greatly expanded. Today, almost any information collected by an IoT device or the related mobile app is likely considered ‘personal’. Your company should be very transparent to its users about what is being collected and who the information is being shared with and why. If there is a data breach involving Ayla and your company, Ayla would notify you, and depending on the situation and relevant regulation, you may need to notify your users.
Two important consumer rights found in most data protection laws are: the right for a user to request deletion of their personal data and the right to know what personal data is being collected. Given that companies have been helping users make these requests, Ayla has seen an increase in deletion requests. You may want to consider what your policy is around these requests. Most laws require that you take action within 30 days of a request, so prompt attention to these requests is strongly recommended.
Privacy and security will only become more of a focus. Recent discussions within the privacy community have me believing that there are several states preparing laws similar to the CCPA, with European-style definitions of what data is regulated. Congress is actively looking to define a federal regulation too, though it will likely be several years before that is finalized. In a related vein, it is the belief among security professionals that data breaches are going to happen. No system is 100% breach-resistant. Here at Ayla we can, and do, place numerous roadblocks to deter potential hackers. We also strive to recognize a data breach early - this limits the number of users affected and related impact. Because of the highlighted focus on these issues, you might consider planning ahead with your executive staff, PR, and legal teams in order to have the best outcome for your company.
Ayla not only has a team dedicated to keeping up to date on privacy and security developments but also has the strong support of its executive management, which all contributes to the company’s focus on these important principles. Ayla recognizes that globally, privacy regulations are both getting stronger and being enforced more and more over time. This is an area of growing risk both for our customers and Ayla. Ayla has staff that continually monitor these trends and update our products to address these increasing risks.
Are you a device or equipment manufacturer wanting to elevate the security profile of your connected product(s)? Contact our experts and schedule a free consultation to find out more about the best ways to secure your connected devices and make protecting your customers’ data privacy a competitive advantage.