FTC Guidance For The Internet Of Things

The Federal Trade Commission has released its staff report on privacy and security issues related to the Internet of Things (IoT). The FTC report is an important starting point for IoT developers looking to implement best practices.

Many IoT devices create new security and privacy risks not seen in traditional hardware and software. For example, health and safety consequences of a security vulnerability in Internet-connected door locks or medical devices are potentially more severe than those created by the breach of a database holding consumer information.

The FTC says “companies should build security into their devices at the outset, rather than as an afterthought.” Companies developing IoT products should consider tasking someone, or some group, with responsibility for overseeing privacy and security issues. Building security into an organizational structure is crucial; it creates accountability and helps foster the type of deliberate thought the FTC wants IoT developers to devote to privacy and security issues. A privacy and security risk assessment is also recommended, and it must be taken seriously. An assessment that is ignored would be exhibit number one in any lawsuit or enforcement action.

Companies also need to consider security after launch. The FTC wants companies to monitor their products and patch known vulnerabilities.

The FTC suggests other best practices, such as implementing a “security-in-depth” approach that provides consumers multiple layers of protection. The FTC report also provides guidance about notice and choice regarding data collection for IoT products.