by Philip Favro, senior discovery counsel, Recommind

With the Internet of Things (IoT) having emerged as the latest technology phenomenon, the business world is now faced with the challenge of confronting its incorporation into processes head on. Workplaces, businesses, and even homes are being flooded by an increasing number of interconnected devices, applications, technologies, and other innovations. This proliferation of the IoT is resulting in tremendous growth of the volume and variety of data being produced, giving rise to heightened concerns around the privacy and security risks associated with data protection. Given the potential significance that IoT data could hold in legal matters, organisations should begin making preparations so they are ready when a tidal wave of IoT-related issues arrives.

Drowning in data
The two key dangers of IoT for enterprises are data privacy and information security. These issues come into play when IoT devices inadvertently or intentionally gather personally identifiable information (PII) belonging to consumers or employees, or when that PII is then transmitted, processed, and stored by entities tasked with owning and/or operating the device. Either of the above scenarios could land a company in treacherous legal waters. Sweeping up PII could violate data protection laws that proscribe the collection of PII, particularly without the data subject’s consent. In addition, transmission or storage methods that lack appropriate security may leave PII subject to hacks or other unauthorised interceptions.

To illustrate this issue, let’s look at a recent real life example involving electronics manufacturer Samsung. Earlier this year, Samsung acknowledged that its smart TVs could eavesdrop and record viewers’ voice commands. Buried in the boilerplate of its privacy policy, Samsung had disclosed that a viewer’s “spoken words” in the presence of the TV – no matter how personal – apparently “will be among the data captured and transmitted to a third party through your use of Voice Recognition.” After many media outlets reported on the issue, Samsung revised that provision to apparently clarify and soften its impact. But the IoT problems with Samsung’s smart TVs didn’t end there. It was subsequently revealed that viewers’ voice commands are transmitted to third parties through unencrypted transmissions, leaving that data vulnerable to “a man-in-the-middle in the network to eavesdrop on the data and tamper with it.”

Navigating the eDisclosure maze
Beyond privacy and security, there are eDisclosure dangers lurking beneath the surface of companies’ information governance programs. These dangers – which are particularly acute in the context of litigation holds and data preservation – are becoming better known through industry education efforts. For example, Ignatius Grande from the international law firm of Hughes, Hubbard & Reed explained that the IoT was not designed with an eye toward litigation, saying “many products in the IoT sphere are not created with litigation hold, preservation and collection in mind… In terms of liability… companies will most likely be responsible to preserve data produced by the capabilities of their products and services in the event of a litigation hold.”

As a result, unless appropriate measures are adopted to ensure that IoT data is kept for litigation matters, relevant IoT materials could be lost, setting the stage for expensive and time-consuming compliance processes and additional regulatory issues.

Ensuring smooth sailing
It seems clear that organisations need to have an actionable plan to prepare for the privacy, security and eDisclosure implications of the IoT. As an initial phase in preparation, companies should determine the extent to which the IoT will affect their consumers and employees, which will provide clarity on the next steps that should be taken.

One of those steps should involve the development of an information governance strategy that accounts for the IoT. Such a strategy should include a plan for identifying information that must be kept for business or legal purposes while isolating other data (particularly PII) for eventual deletion. It should also encompass steps to ensure compliance with the privacy expectations of data protection authorities. Enterprises will also need to ensure that their litigation readiness programs are updated to include a process for preserving and producing relevant IoT data.

Being proactive in anticipating the privacy and security issues that will inevitably arise from the proliferation of IoT will help companies avoid many of the associated treacherous legal and compliance problems. While smooth sailing all of the time cannot be entirely guaranteed, it will certainly establish a process that can enable the successful incorporation of IoT within an organisation’s infrastructure.