mobile devices and internet of things
TRANSCRIPT
Mobile Devices and Internet of Things
Benchmark Litigation Data Security & Privacy Forum - February 11, 2016
2Contents
1. IoT – What Are We Talking About
2. IoT – Examples and Framework for Privacy Analysis
3. Top 10 Practitioner Tips for Successful Development and Roll-Out of IoT
4. A Few Resources
3Introductions
James H. Koenig (Moderator)Privacy and Cybersecurity Practice and IoT PracticePaul Hastings [email protected]
Debra BromsonHead of Global Privacy and Sr. Compliance CounselJazz Pharmaceuticals
Seth BlinderSenior CounselPrivacy & Data ProtectionMasterCard
Section 3. Overview of a Proposed Assessment for Pfizer
IoT – What Are We Talking About,Examples and Framework for Privacy Analysis
5IoT – What Are We Talking About
FTC Definition. “The Internet of Things (“IoT”) refers to the ability of everyday objects to connect to the Internet and to send and receive data.”
Promise and Challenge.
IoT technologies have great promise for allowing certain functions to be triggered by passive monitoring criteria. Need to balance convenience with privacy and security.
Internet of Things by the Numbers:• 25 billion connected devices worldwide (FTC 2/15)• Gartner Estimated (2015):
• 2.9 billion connected devices in just the consumer sector• 5 billion devices total• 25 billion by 2020
6IoT – Examples and Framework for Privacy AnalysisIoT Examples: Privacy and Security by Design - Essential for IoT Success. Smart Home. When you near your home, the garage door opens and the lights and heat turn on to your
preferred setting. While convenient and cost-efficient for the homeowner, if access to this technology were to fall into the wrong hands it could notify a burglar in real-time when you are home and, from monitoring your history, could reliably predict your typical routine.
Connected Cars. While autonomous-driving cars promise increased efficiencies in traffic and fewer collisions, if privacy and security are not properly built in by design, the control of such a vehicle could be commandeered by a hacker, possibly jeopardizing the personal safety and security of the passengers.
Smart Buildings/Cities. By monitoring when people are in offices and the surrounding sun and weather conditions, smart building and security technologies are already creating energy heating and cooling cost savings. Yet, if proper safeguards are not implemented, such technologies may unintentionally capture private, personal images (e.g., pictures of individuals who are having a relationship and wanted to be private and alone).
Addressable Medical Devices. While internet-based glucose pumps and heart pacemakers have helped patients better monitor and manage conditions, if proper cybersecurity assessments are not conducted as required by the FDA, a medical device could be weaponized by a hacker and put the patient’s health and safety at risk.
IoT Privacy Sensitivity Framework (Used in Automotive, Health & Telecomm)• Level 1 – Direct Action/Reaction (IoT to replace a human action, like turn a light off)• Level 2 – Delegates Decision-Making and/or Involves Machine Learning (“Drive
me to X” (or takes actions based on your learned routine or preferences)) • Level 3 – Information Sharing and Device to Device Communications
(can be platform-to-platform or network-to-network curated sharing decisions)
Section 3. Overview of a Proposed Assessment for Pfizer
Top 10 Practitioner Tips for Successful Development and Roll-Out of IoT
8Top 10 Practitioner Tips for IoT Success
• Tip: Map the personally identifiable information flows and uses (common now), but also map other information that could be used in analytics or otherwise combined to identify a person (e.g., location/GPS, vital signs). [Debbie]
1. Map, Map, Map
• Tip: In IoT, information is collected and pulled in many more directions than before and involves more parties. Mapping now must also track the rights and obligations of each involved party. [Seth]
2. Understand the Right and Obligations
©2015 MasterCard. Proprietary and Confidential.
In-House – A Global Privacy Analysis• Global patchwork of privacy laws + globalized business =
challenge
3 May 20239
• How does this come up?• Most projects are multijurisdictional• MasterPass – Product Development and
Expansion• Simplify Commerce – Product Development and
Expansion• MasterCard Datacash – Acquired UK payment
processing business
©2015 MasterCard. Proprietary and Confidential.
In-House – A Global Privacy Analysis
• Goal is always to understand the rights and obligations that attach to data at point of collection and throughout lifecycle
• First, what is the business matter at hand?– What are we doing (and where)? – What is our role in the ecosystem?– Who are we working with?
• Then, how does data layer in? – Country of collection / data subject– Entity/mechanism of collection– Notice & consent mechanics– Cross-border transfers– Type of data elements collected and processed– Nature of processing (primary and secondary uses)– Sharing with third parties / participants in an ecosystem
3 May 202310
©2015 MasterCard. Proprietary and Confidential.
In-House – A Global Privacy Analysis
• Result of that analysis drives – Product design– Contract terms– Security protocol– Risk allocation and determination
• Analysis applies to all situations– Acquisitions and investments– Product development and expansion– Contracting with customers and vendors– Incident response
3 May 202311
12Top 10 Practitioner Tips for IoT Success
• Tip: In IoT, information is collected and pulled in many more directions than before and involves more parties. Mapping now must also track the rights and obligations of each involved party. [Seth]
3. Privacy Notice Maybe Dead (or Morphing) – How to Address in IoT
• Tip: New Technology needs new model to succeed. Consider model for agency over permissions. [Jim]
4. Sharing and Notice
©2015 MasterCard.Proprietary and Confidential
May 3, 2023
Data Minimization• Only collect the data necessary for
purposes at hand, not additional
Security• Data should be protected by
reasonable security safeguards
Openness• Provide transparency• Data subject has rights to know
what is being done with their data• Avoid surprises
Notice• Explain what data is being
collected• Who it will be shared with• What is being done to it
Consent• Informed, voluntary,
current and specific• Revocable (opt-outs)
Use Limitation• Only use, share, disclose
data with consent of data subject
• No secondary uses
Fair Information Privacy Principles
14Top 10 Practitioner Tips for IoT Success
• Tip: Employ data minimization and creativity for security (e.g., keep information on the device, not networked). [Debbie]
5. Know Where Your Data Is
• Tip: Work with engineers and set up escalation process for sensitive activities. [Seth]
6. Privacy and Security By Design
15Top 10 Practitioner Tips for IoT Success
• Tip: For IoT security assessments, this is different than historical, controls security assessments as the threat surface and potential areas for vulnerabilities expands. [Debbie]
7. Conduct a Cybersecurity and Threat Assessment
• Tip: Privacy Impact Assessments (take many forms) are key to identify potential repercussions of secondary and unintended uses and consequences. [Jim]
8. Conduct a Privacy Impact Assessment
16Top 10 Practitioner Tips for IoT Success
• Tip: IoT often involves data processed, stored or analyzed in the cloud. Be alert when data flows into many jurisdictions outside of the US. [Seth]
9. Jurisdictions
• Tip: Avoid being creepy! [Jim, Debbie and Seth]
10. Business Judgment
Section 3. Overview of a Proposed Assessment for Pfizer
A Few Resources
18A Few Resources
Favorites Resources. Among the many resources available, below are a few key resources:
i. FTC – Internet of Things – Privacy and Security in a Connected World, FTC Report on the Internet of Things (IoT) 2015. https://www.ftc.gov/system/files/documents/reports/federal-trade-commission-staff-report-november-2013-workshop-entitled-internet-things-privacy/150127iotrpt.pdf
ii. FDA - Content of Premarket Submissions for Management of Cybersecurity in Medical Devices, FDA Guidance in October 2014. http://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/UCM356190.pdf
iii. FDA – Design Considerations and Pre- Market Submission Recommendations for Interoperable Medical Devices, FDA Draft Guidance in January 2016. http://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/UCM482649.pdf
iv. EU Article 29 Committee - Opinion 9/2014 on the on Recent Developments on the Internet of Things. http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf
v. UK Police - Internet of things: potential risk of crime and how to prevent it, March 2015. https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/410117/Internet_of_things_-_FINAL.pdf
