Ediscovery Comment: Navigating the choppy legal waters of the Internet of Things
by Philip Favro, senior discovery counsel, Recommind
With the Internet of Things (IoT) having emerged as the latest technology phenomenon, the business world is now faced with the challenge of confronting its incorporation into processes head on. Workplaces, businesses, and even homes are being flooded by an increasing number of interconnected devices, applications, technologies, and other innovations. This proliferation of the IoT is resulting in tremendous growth of the volume and variety of data being produced, giving rise to heightened concerns around the privacy and security risks associated with data protection. Given the potential significance that IoT data could hold in legal matters, organisations should begin making preparations so they are ready when a tidal wave of IoT-related issues arrives.
Drowning in data
The two key dangers of IoT for enterprises are data privacy and information security. These issues come into play when IoT devices inadvertently or intentionally gather personally identifiable information (PII) belonging to consumers or employees, or when that PII is then transmitted, processed, and stored by entities tasked with owning and/or operating the device. Either of the above scenarios could land a company in treacherous legal waters. Sweeping up PII could violate data protection laws that proscribe the collection of PII, particularly without the data subject’s consent. In addition, transmission or storage methods that lack appropriate security may leave PII subject to hacks or other unauthorised interceptions.
Navigating the eDisclosure maze
Beyond privacy and security, there are eDisclosure dangers lurking beneath the surface of companies’ information governance programs. These dangers – which are particularly acute in the context of litigation holds and data preservation – are becoming better known through industry education efforts. For example, Ignatius Grande from the international law firm of Hughes, Hubbard & Reed explained that the IoT was not designed with an eye toward litigation, saying “many products in the IoT sphere are not created with litigation hold, preservation and collection in mind… In terms of liability… companies will most likely be responsible to preserve data produced by the capabilities of their products and services in the event of a litigation hold.”
As a result, unless appropriate measures are adopted to ensure that IoT data is kept for litigation matters, relevant IoT materials could be lost, setting the stage for expensive and time-consuming compliance processes and additional regulatory issues.
Ensuring smooth sailing
It seems clear that organisations need to have an actionable plan to prepare for the privacy, security and eDisclosure implications of the IoT. As an initial phase in preparation, companies should determine the extent to which the IoT will affect their consumers and employees, which will provide clarity on the next steps that should be taken.
One of those steps should involve the development of an information governance strategy that accounts for the IoT. Such a strategy should include a plan for identifying information that must be kept for business or legal purposes while isolating other data (particularly PII) for eventual deletion. It should also encompass steps to ensure compliance with the privacy expectations of data protection authorities. Enterprises will also need to ensure that their litigation readiness programs are updated to include a process for preserving and producing relevant IoT data.
Being proactive in anticipating the privacy and security issues that will inevitably arise from the proliferation of IoT will help companies avoid many of the associated treacherous legal and compliance problems. While smooth sailing all of the time cannot be entirely guaranteed, it will certainly establish a process that can enable the successful incorporation of IoT within an organisation’s infrastructure.