Archive for the ‘Uncategorized’ Category

US and European moves to foster pro-active cybersecurity threat collaboration

Posted on March 12th, 2015 by



In this blog we report a little further on the proposals to share cybersecurity threat information within the United States. We also draw analogies with a similar initiative under the EU Cybersecurity Directive aimed at boosting security protections for critical infrastructure and enhancing information sharing around incidents that may impact that infrastructure within the EU.

Both of these mechanisms reflect a fully-formed ambition to see greater cybersecurity across the private sector. Whilst the approaches taken vary, both the EU and US wish to drive similar outcomes. Actors in the market are being asked to “up” their game. Cyber-crimes and cyber-threats are impacting companies financially, operationally and, at times, are having a detrimental impact on individuals and their privacy.

Sharing of cyber-threat information in the US

Last month we reported on Obama’s privacy proposals which included plans to enhance cybersecurity protection. These plans included requests to increase the budget available for detection and prevention mechanisms as well as for cybersecurity funding for the Pentagon. They also outlined plans for the creation of a single, central cybersecurity agency: the US government is establishing a new central agency, modelled on the National Counterterrorism Centre, to combat the threat from cyber attacks.

On February 12th 2015, President Obama signed a new Executive Order to encourage and promote sharing of cybersecurity threat information within the private sector and between the private sector and government.  In a Whitehouse Statement they emphasised that “[r]apid information sharing is an essential element of effective cybersecurity, because it enables U.S. companies to work together to respond to threats, rather than operating alone”.  The rhetoric is that, in sharing information about “risks”, all actors in the United States will be better protected and prepared to react.

This Executive Order therefore encourages a basis for more private sector and more private sector and government cybersecurity collaboration.  The Executive Order:

  • Encourages the development of Information Sharing Organizations: with the development of information sharing and analysis organizations (ISAOs) to serve as focal points for sharing;
  • Proposes the development of a common set of voluntary standards for information sharing organizations: with Department of Homeland Security being asked to fund the creation of a non-profit organization to develop a common set of voluntary standards for ISAOs;
  • Clarifies the Department of Homeland Security’s authority to enter into agreements with information sharing organizations: the Executive Order also increases collaboration between ISAOs and the federal government by streamlining the mechanism for the National Cybersecurity and Communications Integration Center (NCCIC) to enter into information sharing agreements with ISAOs. It goes on to propose streamlining private sector companies’ ability to access classified cybersecurity threat information.

All in, Obama’s plan is to streamline private sector companies’ ability to access cybersecurity threat information. These plans were generally well-received as a step towards collective responsibility and security. Though some have voiced concern that there is scant mention of liability protection for businesses that share information threats with an ISAO. Commentators have pointed out that it is this fear of liability which is a major barrier to effective threat sharing.

Past US initiatives around improving cybersecurity infrastructure

This latest Executive Order promoting private sector information sharing came one year after the launch of another US-centric development. In February 2014, the National Institute of Standards and Technology (NIST) released a Framework for Improving Critical Infrastructure Cybersecurity pursuant to another Executive Order of President Obama’s issued back in February 2013.

This Cybersecurity Framework contains a list of recommended practices for those with “critical infrastructures”.   The Cybersecurity Framework’s executive summary explains that “[t]he national and economic security of the United States depends on the reliable functioning of critical infrastructure. Cybersecurity threats exploit the increased complexity and connectivity of critical infrastructure systems, placing the Nation’s security, economy, and public safety and health at risk.”

Obama’s 2013 Executive Order had called for the “development of a voluntary risk-based Cybersecurity Framework” being a set of industry standards and best practices to help organisations manage cybersecurity risks.  The resulting technology neutral Cybersecurity Framework was the result of interaction between the private sector and Government institutions. For now the use of the Cybersecurity Framework is voluntary and it relies on a variety of existing standards, guidelines, and practices to enable critical infrastructure providers to achieve resilience. “Building from those standards, guidelines, and practices, the [Cybersecurity] Framework provides a common taxonomy and mechanism for organizations to:

  • Describe their current cybersecurity posture;
  • Describe their target state for cybersecurity;
  • Identify and prioritize opportunities for improvement within the context of a continuous and repeatable process;
  • Assess progress toward the target state;
  • Communicate among internal and external stakeholders about cybersecurity risk.”

The Cybersecurity Framework was designed to complement, and not to replace, an organisation’s existing risk management process and cybersecurity program. There is recognition that it cannot be a one-size-fits-all solution and different organisations will have their own unique risks which may require additional considerations.

The Cybersecurity Framework states that it could be used a model for organisations outside of the United States. Yet even in the US there are open questions about how many are actually adopting and following it.

Similarities between US and European cybersecurity proposals

We have to draw analogies between the US initiatives in relation to cybersecurity and the more recent information sharing proposals with the draft EU Cybersecurity Directive which the team reported on in more detail in a recent blog. Both initiatives intend to drive behavioural change. But, as you may expect, the EU wants to introduce formal rules and consequences while the US remains focussed on building good cyber-citizens through awareness and information sharing.

The proposed Cybersecurity Directive would impose minimum obligations on “market operators” and “public administrations” to harmonise and strengthen cybersecurity across the European Union. Market operators would include energy suppliers, e-commerce platforms and application stores. The headline provision for business and organisations is the mandatory obligation to report security incidents to a national competent authority (“NCA”). The NCA being analogous to the ISAO information sharing body concept being developed in the US.  In contrast to the US Framework the EU’s own cybersecurity initiatives are now delayed (with a likely date for mere agreement of the rules of summer 2015 and implementation not likely until 2018) and somewhat diluted compared to the original announced plans.

Both the US and EU cybersecurity initiatives aim to ensure that governments and private sector bodies involved in the provision of certain critical infrastructure take appropriate steps to deal with cybersecurity threats. Both encourage these actors to share information about cyber threats. Both facilitate a pro-active approach to cyber-risk. Whist the US approach is more about self-regulation within defined frameworks the EU is going further and mandating compliance – that’s a seismic shift.

In the EU we await to see the final extent of the “critical infrastructure providers” definition and whether or not “key internet enablers” will be caught within the rules or whether the more recent and narrower definition will prevail. Interplay with data breach notification rules within the upcoming General Data Protection Regulation is also of interest.

Impact

Undoubtedly cyber-risk can hit a corporate’s bottom-line. Keeping up with the pace of change and multitude of risks can be a real challenge for even the most agile of businesses. Taking adequate steps in this area is a continuous and often fast-moving process. Only time will tell us whether the information sharing and interactions that these US and EU proposals are predicated on are going to be frequent enough and fast enough to make any real difference. Cyber-readiness remains at the fore because the first to be hit still wants to preserve an adequate line of defence. The end game remains take appropriate technical and organisational measures to secure your networks and data.

Of course cyber-space does not respect or recognise borders. How national states co-operate and share cybersecurity threat information beyond the borders of the EU is a whole other story. What is certain is that as the cyber-threat response steps up, undoubtedly so too will the hackers and cyber-criminals. The EU’s challenge is to foster a uniform approach for more effective cybersecurity across all 28 Member States. The US also wants to improve its ability to identify and respond to cyber incidents. The US and EU understand that economic prosperity and national security depend on a collective responsibility to secure.

For those acting within the EU and beyond in the future, they will have to adjust to operating (and where required complying) in an effective way across each of the emerging cybersecurity systems.

Mark Webber, Partner Palo Alto, CAmark.webber@fieldfisher.com

 

Progress update on the draft EU Cybersecurity Directive

Posted on February 27th, 2015 by



In a blog earlier this year we commented on the status of the European Union (“EU”) Cybersecurity Strategy. Given that the Strategy’s flagship piece of legislation, the draft EU Cybersecurity Directive, was not adopted within the proposed institutional timeline of December 2014 and the growing concerns held by EU citizens about cybercrime, it seems that an update on EU legislative cybersecurity developments is somewhat overdue.

Background

As more of our lives are lived in a connected, digital world, the need for enhanced cybersecurity is evident. The cost of recent high-profile data breaches in the US involving Sony Pictures, JPMorgan Chase and Home Depot ran into hundreds of millions of dollars. A terrorist attack on critical infrastructure such as telecommunications or power supplies would be devastating. Some EU Member States have taken measures to improve cybersecurity but there is wide variation in the 28 country bloc and little sharing of expertise.

These factors gave rise to the European Commission’s (the “Commission”) publication in February 2013 of a proposed Directive 2013/0027 concerning measures to ensure a high common level of network and information security across the Union (the “proposed Directive”). The proposed Directive would impose minimum obligations on “market operators” and “public administrations” to harmonise and strengthen cybersecurity across the EU. Market operators would include energy suppliers, e-commerce platforms and application stores. The headline provision for business and organisations is the mandatory obligation to report security incidents to a national competent authority (“NCA”).

Where do things stand in the EU institutions on the proposed Directive?

On 13 March 2014 the European Parliament (the “Parliament”) adopted its report on the proposed Directive. It made a number of amendments to the Commission’s original text including:

  • the removal of “public administrations” and “internet enablers” (e.g. e-commerce platforms or application stores) from the scope of key compliance obligations;
  • the exclusion of software developers and hardware manufacturers;
  • the inclusion of a number of parameters to be considered by market operators to determine the significance of incidents and thus whether they must be reported to the NCA;
  • the enabling of Member States to designate more than one NCA;
  • the expansion of the concept of “damage” to include non-intentional force majeure damage;
  • the expansion of the list of critical infrastructure to include, for example, freight auxiliary services; and
  • the reduction of the burden on market operators including that they would be given the right to be heard or anonymised before any public disclosure and sanctions would only apply if they intentionally failed to comply or were grossly negligent.

In May-October 2014 the Council of the European Union (the “Council”) debated the proposed Directive at a series of meetings. It was broadly in favour of the Parliament’s amendments but disagreed over some high-level principles. Specifically, in the interests of speed and efficiency, the Council preferred to use existing bodies and arrangements rather than setting up a new cooperation mechanism between Member States.

In keeping with the Council’s general approach to draft EU legislation intended to harmonise practices between Member States, the institution also advocated the adoption of future-proofed flexible principles as opposed to concrete prescriptive requirements. Further, it contended that Member States should retain discretion over what information to share, if any, in the case of an incident, rather than imposing mandatory requirements.

In October-November 2014 the Commission, Parliament and Council commenced trilogue negotiations on an agreed joint text. The institutions were unable to come to an agreement during the negotiations due to the following sticking points:

  1. Scope. Member States are seeking the ability to assess (to agreed criteria) whether specific market operators come within the scope, whereas the Parliament wants all market operators within defined sectors to be captured.
  2. Internet enablers. The Parliament wants all internet enablers apart from internet exchanges to be excluded, whereas some Member States on the Council (France and Germany particularly) want to include cloud providers, social networks and search engines.
  3. There was also disagreement on the extent of strategic and operational cooperation and the criteria for incident notification.

What is the timetable for adoption of the proposed Directive?

There is political desire on behalf of the Commission to see the proposed Directive adopted as soon as possible. The Council has also stated that “the timely adoption of … the Cybersecurity Directive is essential for the completion of the Digital Single Market by 2015“.

Responsibility for enacting the reform now lies with the Latvian Presidency of the Council. On 30 January 2015, Latvian Transport Minister Anrijs Matiss stated that further trilogue negotiations would be held in March 2015, with the aim of adopting the proposed Directive by July 2015.

Once adopted, Member States will have 18 months to enact national implementing legislation so we could expect to see the proposed Directive come into force by early 2017.

How does the proposed Directive interact with other EU data privacy reforms?

In our previous blog we highlighted the difficulties facing market operators of complying with the proposed Directive in view of the potentially conflicting notification requirements in the existing e-Privacy Directive and the proposed General Data Protection Regulation (the “proposed GDPR”).

Although the text of the proposed Directive does anticipate the proposed GDPR, obliging market operators to protect personal data and implement security policies “in line with applicable data protection rules“, there has still been no EU guidance issued on how these overlapping or conflicting notification requirements would operate in practice.

Furthermore, any debate over which market operators fall within the scope of the breach notification requirements of the proposed Directive would seem to become superfluous once the proposed GDPR, with mandatory breach notifications for all data controllers, comes into force.

Comment

Rather unsurprisingly, the Commission’s broad reform has been somewhat diluted in Parliament and Council. This is a logical result of Member States seeking to impose their own standards, protect their own industries or harbouring doubts regarding the potential to harmonise practices where cybersecurity/infrastructure measures diverge markedly in sophistication and scope.

Nonetheless, the proposed Directive does still impose serious compliance obligations on market operators in relation to cybersecurity incident handling and notification.

At the risk of sounding somewhat hackneyed, for organisations, cyber data breaches are no longer a question of “if” but “when” for private and public sector bodies. Indeed, there is an increasing awareness that a high level of security in one link is no use if this is not replicated across the chain. Whether the proposed Directive meets its aim of reducing weak links across the EU remains to be seen.

Obama’s privacy proposals – one month on

Posted on February 19th, 2015 by



At the start of the year, the Obama administration placed a heavy emphasis on data protection, privacy and cybersecurity through a series of announcements and speeches on these topics in advance of the State of the Union address. This led to expectations that data protection issues and reform would feature prominently in the address itself. However, the content fell short of expectations, and instead pleas for bipartisan cooperation and a focus on President Obama’s legacy took centre stage.

Despite this, there were a number of drivers towards reform that the White House could not ignore, with cybersecurity being at the forefront following November’s high profile hacking of Sony Pictures. The 45 days which the government has given itself to draw up their promised revised Consumer Rights Bill (which will take the President’s February 2012 Consumer Data Privacy white paper as its blueprint) expires at the end of this month, and the result should prove enlightening. But in the month since the State of the Union address and the preceding announcements on privacy issues, what has actually happened?

Proposals for significant future budgetary funding in the fight against cyber threats: on 2nd February, the Obama administration announced its budget proposal for the 2016 fiscal year, which included a number of proposals for significant levels of funding in relation to cyber security. The overall figure requested was $14 billion, focusing on initiatives looking at detection and prevention mechanisms, as well as providing government-wide testing and incident response training. The Pentagon’s cybersecurity budget accounted for over a third of the overall figure, requesting $5.5 billion after a senior weapons tested told Congress in January that nearly every US weapons programme showed “significant vulnerabilities” to cyber attacks.

A single, central cybersecurity agency: the US government is establishing a new central agency, modelled on the National Counterterrorism Centre, to combat the threat from cyber attacks; the Cyber Threat Intelligence Center. It will begin with a staff of around 50 and a budget of $35 million. The idea has been circulating for a while, and the Sony Pictures hack in November was the final impetus needed to establish the central. Its announcement came last week (10th February), after the President alluded to it in the State of the Union when he said that the government would integrate intelligence to combat cyber threats “just as we have done to combat terrorism”.

A report by the Government Accountability Office (GAO) was released on 12th February, highlighting a number of high-risk gaps in the way in which the Department for Homeland Security deals with cybersecurity, as well as the protection of personally identifiable information. Whilst there has been a lot of discussion recently regarding the Obama Administration’s desire to improve cybersecurity and combat the threats, the GAO report found that it has “no overarching cybersecurity strategy that outlines performance measurements, specific roles of federal agencies, or accountability requirements”.

The White House Cybersecurity Summit held at Stanford University on 13th February was an opportunity for Obama to follow up on his pre-State of the Union cybersecurity promises, and he used it to highlight the key principles that he believes are at the heart of reducing the threat and frequency of cyber attacks:

  • the public and private sectors have to work together, given the prevalence of the private sector within the digital economy, coupled with the fact that it is the government who holds the most up to date cybersecurity data and threat alerts;
  • the government should focus on their strengths in quickly and efficiently disseminating information on cyber threats, whilst industry need to take responsibility for safeguarding their own networks;
  • speed and flexibility in reaching innovative solutions to combat threats are paramount, and all corners of business and government need to recognise this in order to meet the challenge presented by the technologically sophisticated people who pose these threats; and
  • cybersecurity must not be at the expense of privacy and the civil liberties of the American people, with Obama stating that “when government and industry share information about cyber threats, we’ve got to do so in a way that safeguards your personal information… When people go online, we shouldn’t have to forfeit the basic privacy we’re entitled to as Americans”.

An Executive Order entitled “Promoting private sector cybersecurity information sharing” followed the summit, and was signed by the President on 13th February. At the outset, the Order states its purpose:

“Organizations engaged in the sharing of information related to cybersecurity risks and incidents play an invaluable role in the collective cybersecurity of the United States. The purpose of this order is to encourage the voluntary formation of such organizations, to establish mechanisms to continually improve the capabilities and functions of these organizations, and to better allow these organizations to partner with the Federal Government on a voluntary basis“.

As well as the promotion of Information Sharing and Analysis Organizations (ISAOs) with voluntary data-sharing standards attached, the Order designates the National Cybersecurity and Communications Integration Center (NCCIC) as a critical infrastructure protection programme (giving it power to enter into voluntary agreements with ISAOs) and forces government agencies to coordinate their activities with senior government officials for privacy and civil liberties.

However, concern has been voiced from some in industry that the government should not be taking the lead on these issues, given “how uncertain the government really is about who does what in cyberspace” (Jeffrey Carr, president and CEO of Taia Global). Others remarked that matters that have been portrayed as issues of government espionage and a restriction on free speech, in particular the Snowden revelations were “a huge setback to the tune of several years” in relation to cybersecurity, given that the “balance between privacy and security ebbs and flows” (Dave DeWalt, CEO of security firm Mandiant).

In conclusion, it is clear that, despite the lack of discussion on the issue at the State of the Union, privacy and cybersecurity is on the Obama Administration’s radar as an essential element of Western and democratic societies. The biggest change is yet to come, in the form of the revised Consumer Rights Bill, but the initiatives and action taken on privacy issues so far this year have played a valuable part in bringing this to the forefront of the American political agenda.

US and UK Regulators position themselves to meet the needs of the IoT market

Posted on January 30th, 2015 by



The Internet of Things (“IoT“) is set to enable large numbers of previously unconnected devices to communicate and share data with one another.

In an earlier posting I examined the future potential regulatory landscape for the IoT market and introduced Ofcom’s (the UK’s communications regulator) 2014 consultation on the Internet of Things. This stakeholder consultation was issued in order to examine the emerging debate around this increasing interconnectivity between multiple devices and to guide Ofcom regulatory priorities. Since the consultation was issued, the potential privacy issues associated with IoT continue to attract the most attention but, as yet, no IoT issues have led to any specific laws or legal change.

In two separate developments in January 2015, the UK and US Internet of Things markets were exposed to more advanced thinking and guidance around the legal challenges of the IoT.

UK IoT developments

Ofcom published its Report: “Promoting investment and innovation in the Internet of Things: Summary of responses and next steps” (27 January 2015) which responded to the views gathered during the consultation which closed in the autumn of 2014. In this report Ofcom has identified several priority areas to focus on in order to support the growth of the IoT. These “next step” Ofcom priorities are summarised across four core areas:

Spectrum availability: where Ofcom concludes that “existing initiatives will help to meet much of the short to medium term spectrum demand for IoT services. These initiatives include making spectrum available in the 870/915MHz bands and liberalising licence conditions for existing mobile bands. We also note that some IoT devices could make use of the spectrum at 2.4 and 5GHz, which is used by a range of services and technologies including Wi-Fi.” Ofcom goes on to recognise that, as IoT grows and the sector develops, there may be a renewed need to release more spectrum in the longer term.

Network security and resilience: where Ofcom holds the view that “as IoT services become an increasingly important part of our daily lives, there will be growing demands both in terms of the resilience of the networks used to transmit IoT data and the approaches used to securely store and process the data collected by IoT devices“. Working with other sector regulators where appropriate, Ofcom plans to continue existing security and resilience investigations and to extend its thoughts to the world of IoT.

Network addressing: where Ofcom, previously fearing numbering scarcity, now recognises that “telephone numbers are unlikely to be required for most IoT services. Instead IoT services will likely either use bespoke addressing systems or the IPv6 standard. Given this we intend to continue to monitor the progress being made by internet service providers (ISPs) in migrating to IPv6 connectivity and the demand for telephone numbers to verify this conclusion“; and

Privacy: In the particularly hot privacy arena there is nothing particularly new within Ofcom’s preliminary conclusions. Ofcom concludes that there is a need for “a common framework that allows consumers easily and transparently to authorise the conditions under which data collected by their devices is used and shared by others will be critical to future development of the IoT sector.” In a world where the UK’s Data Protection Act already applies, it was inevitable that Ofcom (without a direct regulatory remit over privacy) would offer little further insight in this regard.

It’s not surprising to read from the Report that commentary within the responses highlighted data protection and privacy to potentially be the “greatest single barrier to the development of the IoT“. The findings from its consultation do foresee potential inhibitors to the IoT adoption resulting from these privacy challenges, and Ofcom acknowledges that the activities and guidance of the UK Information Commissioner (ICO) and other regulators will be pertinent to achieving clarity. Ofcom will be co-ordinating further cooperation and discussion with such bodies both nationally and internationally.

A measured approach to an emerging sector

Ofcom appears to be striking the right balance here for the UK. Ofcom suggests that future work with ICO and others could include examining some of the following privacy issues:

  • assessing the extent to which existing data protection regulations fully encompass the IoT;
  • considering a set of principles for the sharing of data within the IoT looking to principles of minimisation and restricting the overall time any data is stored for;
  • forming a better understanding of consumer attitudes to sharing data and considering techniques to provide consumers “with the necessary information to enable them to make an informed decision on whether to share their data“; and
  • in the longer term, exploring the merit of a consumer education campaign exposing the potential benefits of the IoT to consumers.

The perceived need for more clarity around privacy and the IoT

International progress around self-regulation, standards and operational best practice will inevitably be slow. On the international stage, Ofcom suggests it will work with existing research groups (such as the ones hosted by BEREC amongst other EU regulators).

We of course already have insight from Working Party 29 in its September 2014 Opinion on the Internet of Things. The Fieldfisher privacy team expounded the Working Party’s regulatory mind-set in another of our Blogs. The Working Party has warned that the IoT can reveal ‘intimate details’; ‘sensor data is high in quantity, quality and sensitivity’ and the inferences that can be drawn from this data are ‘much bigger and sensitive’, especially when the IoT is seen alongside other technological trends such as cloud computing and big data analytics.

As with previous WP29 Opinions (think cloud, for example), the regulators in that Opinion have taken a very broad brush approach and have set the bar so high, that there is a risk that their guidance will be impossible to meet in practice and, therefore, may be largely ignored. This is in contrast to the more pragmatic FTC musings further explained below, though following a similar approach to protect privacy, the EU approach is far more alarmist and potentially restrictive.

Hopefully, as practical and innovative assessments are made in relation to technologies within the IoT, we may find new pragmatic solutions emerging to some of these privacy challenges. Perhaps the development of standard “labels” for transparency notifications to consumers, industry protocols for data sharing coupled with associated controls and possibly more recognition from the regulators that swamping consumers with more choices and information can sometimes amount to no choice at all (as citizens start to ignore a myriad of options and simply proceed with their connected lives ignoring the interference of another pop-up or check-box). Certainly with increasing device volumes and data uses in the IoT, consumers will continue to value their privacy. But, if this myriad of devices is without effective security, they will soon learn that both privacy and security issues count.

And in other news….US developments

Just as the UK’s regulators are turning their attention to the IoT, the Federal Trade Commission (FTC) also published a new Report on the IoT in January 2015: As Ofcom’s foray into the world of the IoT, the FTC’s steps in “Privacy & Security in a Connected World” are also exploratory. To a degree, there is now more pragmatic and realistic guidance around best practices in making IoT services available in the US than we have today in Europe.

In this report the FTC recommends “a series of concrete steps that businesses can take to enhance and protect consumers’ privacy and security, as Americans start to reap the benefits from a growing world of Internet-connected devices.” As with Ofcom, it recognises that best practice steps need to emerge to ensure the potential of the IoT can be recognised.  This reads as an active invitation to those playing in the IoT to self-regulate and act as good data citizens. With the surge in active enforcement by the FTC in during 2014, this is something worthy of attention for those engaged in the consumer facing world of the IoT.

As the Federal Trade Commission works for consumers to prevent fraudulent, deceptive, and unfair business practices and to provide information to help spot, stop, and avoid them the FTC’s approach focusses more on the risks that will arise from a lack of transparency and excessive data collection than the practical challenges the US IoT industry may encounter as the IoT and its devices create an increasing demand on infrastructure and spectrum.

The report focuses in on three core topics of (1) Security, (2) Data Minimisation and (3) Notice and Choice. Of particular note the FTC report makes a number of recommendations for anyone building solutions or deploying devices in the IoT space:

  • build security into devices at the outset, rather than as an afterthought in the design process;
  • train employees about the importance of security, and ensure that security is managed at an appropriate level in the organization;
  • ensure that when outside service providers are hired, that those providers are capable of maintaining reasonable security, and provide reasonable oversight of the providers;
  • when a security risk is identified, consider a “defense-in-depth” strategy whereby multiple layers of security may be used to defend against a particular risk;
  • consider measures to keep unauthorized users from accessing a consumer’s device, data, or personal information stored on the network;
  • monitor connected devices throughout their expected life cycle, and where feasible, provide security patches to cover known risks.”

With echoes of privacy by design and data minimisation as well as recommendations to limit the collection and retention of information, suggestions to impose security on outside contractors and then recommendations to consider and notice and choice, it could transpire that the IoT space will be one where we’ll be seeing fewer differences in the application of US/EU best practice?!

In addition to its report, the FTC also released a new publication designed to provide practical advice about how to build security into products connected to the Internet of Things. This report “Careful Connections: Building Security in the Internet of Things” encourages both “a risk-based approach” and suggests businesses active in the IoT “take advantage of best practices developed by security experts, such as using strong encryption and proper authentication“.

Where next?

Both reports indicate a consolidation in regulatory thinking around the much hyped world of IoT. Neither report proposes concrete laws for the IoT and, if they are to come, such laws are some time off. The FTC even goes as far as saying “IoT-specific legislation at this stage would be premature“. However, it does actively “urge further self-regulatory efforts on IoT, along with enactment of data security and broad-based privacy legislation”. Obama’s new data privacy proposals are obviously seen as a complementary step toward US consumer protection? What is clear is there are now emerging good practices and a deeper understanding at the regulators of the IoT, its potential and risks.

On both sides of the Atlantic the US and UK regulators are operating a “wait and see” policy. In the absence of legislation, with other potentially privacy sensitive emerging technologies we’ve seen self-regulatory programs within particular sectors or practices emerging to help guide and standardise practice around norms. This can protect at the same time as introducing an element of certainty around which business is able to innovate.

Mark Webber – Partner, Palo Alto California mark.webber@fieldfisher.com

 

Obama’s US privacy law proposals

Posted on January 19th, 2015 by



On 12 January 2015, President Obama announced a package of far-reaching and dramatic changes to the shape of privacy laws in the US. This package is seen as a direct response to the changing emphasis on privacy and data security in the US, in light of the Snowden revelations and the recent spate of cyber-attacks. The speech acted as a preview to the President’s annual State of the Union address, where the new privacy proposals will certainly feature.

The story so far

2014 saw an unprecedented number of increasingly severe and high-profile attacks on cyber security. In particular, the Sony Pictures hack in December 2014 brought the issue into the global consciousness, with huge amounts of personal and sensitive data about celebrities and Sony employees being released into the public domain. And in an embarrassing turn of events for President Obama, the US military’s Central Command (which leads US military action in the Middle East) was hacked shortly after his speech announcing the new proposals last week. In that instance, the military’s Twitter account was flooded with pro-Isis posts, some using the hashtag #CyberCaliphate, and the government was forced to admit that their account had been “compromised”. More justification for the introduction of far-reaching privacy reforms to address what President Obama called “enormous vulnerabilities”.

On the consumer side, a recent survey (the results of which were released in November 2014[1]) suggests that 91% of Americans believe that consumers have lost control over how personal information is collected and used by companies. The survey looked at attitudes to privacy and data in the wake of the Snowden scandal, and also revealed that 64% of Americans believe that it is up to the government to regulate the way advertisers access data. Both of these statistics will have provided further justification for the administration’s proposals.

So, what changes are on the horizon?

There are four major themes of the reforms proposed by Obama:

  • A Consumer Rights Bill

This is the most significant proposal, and likely to be the most controversial. Taking the President’s February 2012 Consumer Data Privacy white paper as a blueprint, the Obama administration has committed to releasing a revised legislative proposal within 45 days of the announcement, incorporating analysis from the public consultations held on that white paper. So by the end of February, we will have a clearer idea of how the Bill may look and its key priorities, which should take into account industry opinion from all sides of the debate.

  • Tackling identity theft

The introduction of the Personal Data Notification & Protection Act will establish a single, national standard for reporting data breaches, and mandate the report of any such breach within 30 days of the date of its occurrence. A number of companies have also committed to making customers’ credit scores available to them for free, allowing customers to take control of their credit history and providing an “early warning system” for identity theft.

  • Safeguarding student privacy

The central theme here is ensuring that data collected in the educational context is used only for educational purposes. To do this, the government will introduce the Student Digital Privacy Act, which will prevent companies from selling student data to third parties for purposes unrelated to the educational mission. Additionally, 75 companies have signed up to new commitments aimed at protecting against misuse of data, and the President used his speech to encourage others to follow suit.

  • Protecting electricity customer data with a code of conduct

The Department of Energy has developed a new voluntary code of conduct for utilities companies, aimed at protecting electricity customer data (including energy usage statistics). As more companies sign up, the government hopes that levels of consumer awareness will increase, thereby improving choice, making consent more informed and putting controls on data access.

Are the proposals likely to become law?

Of the changes above, it is the Consumer Rights Bill that is the stand-out point, both because of the changes it has the potential to bring and the controversy that will likely surround it. Given that president Obama faces a hostile Republican-controlled Congress for the first time in his administration, there will be significant obstacles to passing the bill. The Bill will likely go through many different iterations as it becomes closer to being a Bill that is capable of gaining the required Congressional support, and as such it is difficult to predict how far the reforms will go.

One factor which will determine successful passage of the proposals is the extent to which they are perceived as partisan Democrat policy. This is a question of proposal content and political communication. The President may be able to garner Republican support in both houses on the basis of recent high-profile privacy/cyber incidents (Sony hack, Target breach, US Central Command Twitter account hack) to ensure relatively speedy adoption of The Personal Data Notification & Protection Act and The Student Digital Privacy Act. Successful adoption of Consumer Rights Bill would seem to be a thornier matter.

There is also some debate as to the effect of any proposals, with consumer and privacy groups concerned that they may not match up to the protection afforded by some of the more robust State laws passed recently in areas such as California. Privacy campaigners say that a federal baseline is needed, but stress the importance of States being given the freedom to establish stricter standards and the concerns they have about what they see as inevitable watering down of the federal standard.

Furthermore, the proposals may give rise to a broader discussion about the role of long-standing federal agencies such as the Federal Trade Commission and the Department of Health and Human Services in regulating privacy issues. Indeed, there may well be calls for this greater federal harmonisation of privacy law to be accompanied by a dedicated federal data protection agency. It will be fascinating to see whether any debate on this issue will reflect the discussions currently taking place on the other side of the Atlantic in relation to the draft General Data Protection Regulation’s proposed one stop shop mechanism.

In addition, there is the possibility that some groups may interpret the Bill as the first step towards a Constitutional Amendment providing an explicit right to privacy. Any such interpretation would be extremely controversial, given the importance American culture attaches to freedom of expression, and the current international climate on this topic

The next chapter

The Obama administration seems serious about these proposals. The prominence that they are giving to the reforms in the week before the State of the Union is indicative of the fact that this is likely to be a major theme this year, rather than just occupying a line or two in the speech (as has been the case in the past).

The package discussed above deals with consumer protection and data privacy measures, but there is also widespread acknowledgement of the fact that government and private entities need to be in agreement on the changes being introduced. That means proper incentives for the private sector to buy in to the reforms, and safeguards for them when it comes to the government requesting disclosure of personal data from large organisations. The private sector is also concerned about disjointed compliance with the proposals, which risks putting those companies that comply with the proposals early on at a competitive disadvantage compared to those that hold out. This will slow the process and hinder reform.

There seems to be a level of consensus on the big ideas at the centre of these reforms, namely a need to reinforce cyber security and protect consumers for the mutual benefit of the individual, business and the economy. Making this a big issue at the State of the Union is the first step in driving the privacy reforms forward, but it is far from the end of the story.

[1] “Public Perceptions of Privacy and Security in the Post-Snowden Era” – Pew Research Centre, 12 Nov 2014

A New ISO Standard for Cloud Computing

Posted on November 5th, 2014 by



The summer of 2014 saw another ISO Standard published by the International Standards Organisation (ISO). ISO27018:2014 is a voluntary standard governing the processing of personal data in the public cloud.

With the catchy title of “Information technology – Security techniques – Code of the practice for protection of personally identifiable information (PII) in public clouds acting as PII processors” (“ISO27018“), it is perhaps not surprising that this long awaited standard is yet to slip off the tongue of every cloud enthusiast.  European readers may have assumed references to PII meant this standard was framed firmly on the US – wrong!

What is ISO27018?

ISO27018 sets out a framework of “commonly accepted control objectives, controls and guidelines” which can be followed by any data processors processing personal data on behalf of another party in the public cloud.

ISO27018 has been crafted by ISO to have broad application from large to small and from public entity to government of non-profit.

What is it trying to achieve?

Negotiations in cloud deals which involve the processing of personal data tend to be heavily influenced by the customer’s perceptions of heightened data risk and sometimes very real challenges to data privacy compliance. This is hurdle for many cloud adopters as they relinquish control over data and rely on the actions of another (and sometimes those under its control) to maintain adequate safeguards. In Europe, until we see the new Regulation perhaps, a data processor has no statutory obligations when processing personal data on behalf of another. ISO27018 goes some way to impose a level of responsibility for the personal information it processes.

ISO27018’s introductory pages call out its objectives:

  • It’s a tool to help the public cloud provider to comply with applicable obligations: for example there are requirements that the public cloud provider only processes personal information in accordance with the customer’s instructions and that they should assist the customer in cases of data subject access requests;
  • It’s an enabler of transparency allowing the provider to demonstrate why their cloud services are well governed: imposing good governance obligations on the public cloud provider around its information security organisation (eg the segregation of duties) and objectives around human resource security prior to (and during employment) and encouraging programmatic awareness and training. Plus it echoes the asset management and access controls elements of other ISO standards (see below);
  • It will assist the customer and vendor in documenting contractual obligations: by addressing typical contractually imposed accountability requirements; data breach notification, imposing adequate confidentially obligations on individuals touching on data and flowing down technical and organisation measures to sub-processors as well as requiring the documentation of data location. This said, a well advised customer may wish to delve deeper as this is not a full replacement for potential data controller to processor controls; and
  • It offers the public cloud customer a mechanism to exercise audit and compliance rights: with ISO27018’s potential application across disparate cloud environments, it remains to be seen whether a third party could certify compliance against some of the broader data control objectives contained in ISO27018. However, a regular review and reporting and/or conformity reviews may provide a means for vendor or third party verification (potentially of more use where shared and/or virtualised server environments practically frustrate direct data, systems and data governance practice audit by the customer).

ISO27018 goes some way towards delivering these safeguards. It is also a useful tool for a customer to evaluate the cloud services and data handling practices of a potential supplier. But it’s not simple and it’s not a substitute for imposing compliance and control via contract.

A responsible framework for public cloud processors

Privacy laws around the world prescribe nuanced, and sometimes no, obligations upon those who determine the manner in which personal information is used. Though ISO27018 is not specifically aimed at the challenges posed by European data protection laws, or any other jurisdiction for that matter, it is flexible enough to accommodate many of the inevitable variances. It cannot fit all current and may not fit to future rules. However, in building this flexibility, it loses some of its potential bite to generality.

Typically entities adopting ISO27001 (Information security management) are seeking to protect their own assets data but it is increasingly a benchmark standard for data management and handling among cloud vendors. ISO27018 builds upon the ISO27002 (Information technology – Security technique – Code of practice for information security controls) reflecting its controls, but adapting these for public cloud by mapping back to ISO27002 obligations where they remain relevant and supplementing these controls where necessary by prescribing additional controls for public cloud service provision (as set out separately in Annex A to ISO27018). As you may therefor expect, ISO27018 explicitly anticipates that a personal information controller would be subject to wider obligations than those specified and aimed at processors.

Adopting ISO27018

Acknowledging that the standard cannot be all-encompassing, and that the flavours of cloud are wide and varied, ISO27018 calls for an assessment to be made across applicable personal information “protection requirements”.  ISO27018 calls for the organisation to:

  • Assess the legal, statutory, regulatory and contractual obligations of it and its partners (noting particularly that some of these may mandate particular controls (for example preserving the need for written contractual obligations in relation to data security under Directive (95/46/EC) 7th Principle));
  • To complete a risk assessment across its business strategy and information risk profile; and
  • To factor in corporate policies (which may, at times, go further than the law for reasons of principle, global conformity or because of third party influences).

What ISO27018 should help with

ISO27018 offers a reference point for controllers who wish to adopt cloud solutions run by third party providers. It is a cloud computing information security control framework which may form part of a wider contractual commitment to protect and secure personal information.

As we briefly explained in an earlier post in our tech blog, the European Union has also spelled out its desire to promote uniform standard setting in cloud computing. ISO27018 could satisfy the need for broadly applicable, auditable data management framework for public cloud provision. But it’s not EU specific and lacks some of the rigour an EU based customer may seek.

What ISO27018 won’t help with

ISO27018 is not an exhaustive framework. There are a few obvious flaws:

  • It’s been designed for use in conjunction with the information security controls and objectives set out in ISO27002 and ISO27001 which provide general information security frameworks. This is a high threshold for small or emerging providers (many of which do not meet all these controls or certify to these standards today). So more accessible for large enterprise providers but something to weigh up – the more controls there are the more ways there are to slip up;
  • It may be used as a benchmark for security and, coupled with contractual commitments to meet and maintain selected elements of ISO27018, it won’t be relevant to all cloud solutions and compliance situations (though some will use it as if it were);
  • It perpetuates the use of the PII moniker which, already holding specific US legal connotation (i.e. narrower application) is now used is a wider defined context under ISO27018 (in fact PII under ISO27018 is closer to the definition of personal data under EU Directive 95/46/EC). This could confuse the stakeholders in multi-national deals and the corresponding use of PII in the full title to ISO27014 potentially misleads around the standard’s potentially applicability and use cases;
  • ISO27018 is of no use in situations where the cloud provider is (or assumes the role) of data controller and it assumes all data in the cloud is personal data (so watch this space for ISO27017 (coming soon) which will apply to any data (personal or otherwise)); and
  • For EU based data controllers, other than constructing certain security controls, ISO27018 is not a mechanism or alternative route to legitimise international data transfers outside of the European Economic Area. Additional controls will have to be implemented to ensure such data enjoys adequate protection.

What now?

ISO27018 is a voluntary standard and not law and it won’t entirely replace the need for specific contractual obligations around processing, accessing and transferring personal data. In a way its ultimate success can be gauged by the extent of eventual adoption. It will be used to differentiate, but it will not always answer all the questions a well-informed cloud adaptor should be asking.

It may be used in whole or in part and may be asserted and used alongside or as a part of contractual obligations, information handling best practice or simply a benchmark which a business will work towards. Inevitability there will be those who treat the Standard as if it is the law without thought about what they are seeking to protect against and what potential wrongs they are seeking to right.  If so, they will not reap the value of this kind of framework.

 

Are DPA notifications obsolete?

Posted on October 27th, 2014 by



For almost 10 years I’ve been practising data protection law and advising multinational organizations on their strategic approach to global data processing operations. Usually, when it comes to complying with European data protection law, notifying the organization’s data processing activities with the national data protection authorities (DPAs) is one of the most burdensome exercises. It may look simple, but companies often underestimate the work involved to do this.

As a reminder, article 18 of the Data Protection Directive 95/46/EC requires data controllers (or their representatives in Europe) to notify the DPA prior to carrying out their processing operations. In practise, this means that they must file a notification with the DPA in each Member State in which they are processing personal data, which specifies who is the data controller, the types of data that are collected, the purpose(s) for processing such data, whether any of that data gets transferred outside the EEA and how individuals can exercise their privacy rights.

In a perfect world, this would be a fairly straightforward process whereby organizations would simply file a single notification with the DPA in every Member State. But that would be too easy! The reality is that DPA notification procedures are not harmonized in Europe, which means that organizations must comply with the notification procedures of each Member State as defined by national law. As a result, each DPA has established its own notification rules which impose a pre-established notification form, procedure, and formalities on data controllers. Europe is not the only region to have notification rules. In Latin America, organizations must file a notification in Argentina, Uruguay in Peru. And several African countries (usually those who are members of the “Francophonie” such as Morocco, Senegal, Tunisia, and the Ivory Coast) have also adopted data protection laws requiring data controllers to notify their data processing activities.

Failing to comply with this requirement puts your organization at risk with the DPAs who have the power in some countries to conduct audits and inspections of an organization’s processing activities. If a company is found to be in violation of the law, some DPAs may impose sanctions (such as fines, public warnings) or order the data to be blocked or the data processing to cease immediately. Furthermore, companies may also be sanctioned by the national courts. For example, on October 8th, 2014, the labour chamber of the French Court of Cassation (the equivalent to the Supreme Court for civil and criminal matters) ruled that an employer could not use the data collected via the company’s messaging system as evidence to lay-off one of its employees for excessively using that messaging service for private purposes (i.e., due to the high number of private emails transiting via the messaging service) because the company had failed to notify the French Data Protection Authority (CNIL) prior to monitoring the use of the messaging service.

One could also argue that notifications may get scrapped altogether by the draft Data Protection Regulation (currently being discussed by the European legislator) and so companies will no longer be required to notify their data processing activities to the regulator. True, but don’t hold your breath for too long! The draft Regulation is currently stuck in the Council of ministers, and assuming it does get adopted by the European legislator, the most realistic date of adoption could be 2016. Given that the text has a two-year grace period before it comes into force, the Regulation would not come into force before 2018. And in its last meeting of October 3rd, 2014, the Council agreed to reach a partial general approach on the text of chapter IV of the draft Regulation on the understanding that “nothing is agreed until everything is agreed.”

So, are DPA notifications obsolete? The answer is clearly “no”. If you’re thinking: “why all the fuss? Do I really need to go through all this bureaucracy?” think again! The reason organizations must notify their data processing activities to the DPAs is simple: it’s the law. Until the Data Protection Regulation comes into force (and even then, some processing activities may still require the DPA’s prior approval), companies must continue to file their notifications. Doing so is a necessary component of any global privacy compliance project. It requires organizations to strategize their processing operations and to prioritize the jurisdictions in which they are developing their business. And failing to do so simply puts your organization at risk.

This article was first published in the IAPP’s Privacy Tracker on October 23rd, 2014.

Belgian Data Protection Day to focus on “privacy in the workplace”

Posted on October 16th, 2014 by



Two years ago, the Belgian Data Protection authority (“Privacy Commission”) published its guidelines on the monitoring of e-mail and internet usage in the workplace. Its aim was to clarify previous recommendations and highlight any potential conflicts of law between the Collective Bargaining Agreement n° 81 on the monitoring of electronic communications of employees and various other laws prohibiting unlawful monitoring (see our previous blog post at http://www.fieldfisher.com/publications/2011/08/belgian-privacy-commission-clarifies-employee-monitoring#sthash.oScWaq6x.dpbs).

While these recommendations addressed a lot of the common issues faced by businesses, they still did not provide answers to all the questions posed. A recurring problem faced by employers is whether or not they can have access to an employee’s e-mail account. In certain circumstances, be it in the context of a dismissal or in the case of harassment for example, an employer may require access to ensure the continuity of services to clients or to investigate the allegations that have been made.

The most frequently asked questions in these situations are:

  • If suspicious behaviour is identified, what level of forensic examination is justified?
  • Should the rules to be interpreted differently depending on whether the person behaving suspiciously is still employed by the investigating organisation or not?
  • How should the “reasonable expectations of privacy” doctrine be interpreted and applied?

It is clear this is a hot topic in Belgium and remains very divisive.

Accordingly, the Privacy Commission intends to devote its entire Data Protection Day on January 28th 2015 to “privacy in the workplace”.

On the same day, the Privacy Commission will also be providing additional guidance on this topic, with the aim of educating employers and employees about the necessity (and importance) of the protection of privacy and personal data in the workplace.

The Privacy Commission has invited Fieldfisher (as part of a select group of firms) to share our experience and knowledge of this topic with the delegates. If you have specific concerns, observations or comments which you would like to see addressed by the Privacy Commission, feel free to contact tim.vancanneyt@fieldfisher.com or aagje.degraeve@fieldfisher.com by early November.

New Belgian government increases focus on privacy

Posted on October 15th, 2014 by



More than four months after the federal elections, the new Belgian government has finally been sworn in. In many respects, this centre-right government is unique and unlike any previous administration. For example, it’s the first government in 25 years not to feature a socialist party and the first coalition ever with only one French-speaking party. In this post, I’ll be discussing its unprecedented focus on privacy.

In addition to specific chapters on the protection of Privacy and on cyber security, the Coalition Agreement contains numerous other references to Privacy throughout. What’s more, for the first time ever, a ‘secretary of state’ for Privacy has been appointed (this is a member of the cabinet who is assigned and reports to one of the ministers).

So what does this mean in practice? As always the text of the coalition agreement remains vague. However, the salient points are:

Increased privacy protection versus increased data mining

Interestingly, reference to privacy protection is mostly made in relation to government decisions to increase data mining and profiling. The government intends to extend the police’s powers for monitoring CCTV; increase the Judiciary Service and National Security’s powers to proactively investigate crimes; better monitor asylum seekers and enable cross-access to different public databases.

On the one hand it is obviously positive that the new government wants to reinforce the protection of individual’s privacy. However, reading between the lines, it seems the focus on privacy is also somewhat misleading. Indeed, the increased monitoring resulting from many of the new governmental measures risks turning the authorities into an even more powerful Big Brother than before.

Modernisation of the Belgian Data Protection Act versus need for robust harmonised EU privacy laws

The coalition agreement states (in a rather non-committal fashion) that, ‘where necessary’, the Belgian Data Protection Act will be modernised. In the absence of further detail, it currently remains unclear what this will mean in practice. It is unfortunate however to note that the new government states that as a rule, data processing should rely on informed consent. If the Belgian Data Protection Act were to be modified to reflect this, it would make businesses’ life more difficult without really improving the level of protection of data subjects. Some may fear that it would only increase the so-called ‘consent fatigue’.

More generally, one could ask why the government has chosen to update the Belgian Data Protection Act when the Data Protection Regulation on its way. While the coalition agreement still expressly states the need for solid harmonised EU privacy laws, it makes you wonder whether the new government is of the opinion that the Data Protection Regulation will not be adopted anywhere soon or even at all?

Privacy Commission will be reformed

The Belgian data protection authority also known as Privacy Commission, will be reformed by increasing the independence of its members, especially in the light of the new e-government initiatives that will be implemented. The coalition agreement remains silent as to whether the Privacy Commission will also be vested with fining powers. It does refer to the fact that appropriate sanctions must be applied in cases of infringement of data protection laws. This might suggest that in addition to the criminal sanctions, which are currently hardly ever applied, administrative sanctions will be adopted. In this context, it should be noted that the Privacy Commission itself requested for such powers earlier this year. We would therefore not be surprised if the Privacy Commission is granted more robust enforcement powers.

Cyber security high on the agenda

Since the Snowden revelations, cyber security remains high on the agenda in Belgium. The issues faced in resolving the cyber attack on Belgium’s incumbent and majority state-owned Telco – Belgacom and the hacking of the Ministry of Foreign Affairs’ systems demonstrated how Belgium was relatively unprepared for this type of situation. It therefore comes as no surprise that the new government will be  investing in the recently created Belgian Centre for Cyber Security. This centre will act as a coordinator and must provide advice to public authorities and take initiatives to help protect businesses and the general public. This is considered absolutely essential when it comes to increasing trust in the ‘digital society’ and allowing Belgium to play a leading role in terms of e-government, digital society and the internet of things.

Conclusion

The increased focus on privacy and data protection is of course to be applauded. The real question remains however whether this coalition agreement will result in any real, tangible improvements, or whether it is simply window-dressing. Much will depend on the priority given to these topics by the secretary of state, who is also in charge of Social Fraud and the North Sea and how he will translate these high-level principles into actual legal texts.

In this context it is noteworthy that a roundtable is going to be organised with all stakeholders to refine and apply the high-level principles of the coalition agreement. We will report back on this as soon as more details become available.

Part 1: Cutting through the Internet of Things hyperbole

Posted on October 15th, 2014 by



I’ve held back writing anything about the Internet of Things (or “IoT“) because there are so many developments playing out in the market. Not to mention so much “noise”.

Then something happened: “It’s Official: The Internet Of Things Takes Over Big Data As The Most Hyped Technology” read a Forbes headline. “Big data”, last week’s darling, is condemned to the “Trough of Disillusionment” while Gartner moves IoT to the very top of its 2014 emerging technologies Hype Cycle. Something had to be said.

The key point for me is that the IoT is “emerging”. What’s more, few are entirely sure where they are on this uncharted journey of adoption. IoT has reached an inflexion point and a point where businesses and others realise that identifying with the Internet of Things may drive sales, shareholder value or merely kudos. We all want a piece of this pie.

In Part 1 of this two part exploration of IoT, I explore what the Internet of Things actually is.

IoT –what is it?

Applying Gartner’s parlance, one thing is clear; when any tech theme hits the “Peak of Expectations” the “Trough of Disillusionment” will follow because, as with any emerging technology, it will be sometime until there is pervasive adoption of IoT. In fact, for IoT, Gartner says widespread adoption could be 5 to 10 years away. However, this inflexion point is typically the moment in time when the tech industry’s big guns ride into town and, just as with cloud (remember some folk trying to trade mark the word?!), this will only drive further development and adoption. But also further hype.

The world of machine to machine (“M2M“) communications involved the connection of different devices which previously did not have the ability to communicate. For many, the Internet of Things is something more, as Ofcom (the UK’s communications regulator) set out in its UK consultation, IoT is a broader term, “describing the interconnection of multiple M2M applications, often enabling the exchange of data across multiple industry sectors“.

The Internet of Things will be the world’s most massive device market and save companies billions of dollars” shouted Business Week in October 2014, happy to maintain the hype but also acknowledging in its opening paragraph that IoT is “beginning to grow significantly“. No question, IoT is set to enable large numbers of previously unconnected devices to connect and then communicate sharing data with one another. Today we are mainly contemplating rather than experiencing this future.

But what actually is it?

The emergence of IoT is driving some great debate. When assessing what IoT is and what it means for business models, the law and for commerce generally, arguably there are more questions than there are answers. In an exploratory piece in ZDNET Richie Etwaru called out a few of these unanswered questions and prompted some useful debate and feedback. The top three questions raised by Ritchie were:

  • How will things be identified? – believing we have to get to a point where there are standards for things to be sensed and connected;
  • What will the word trust mean to “things” in IoT? – making the point we need to redefine trust in edge computing; and
  • How will connectivity work? – Is there something like IoTML (The Internet of Things Markup Language) to enable trust and facilitate this communication?

None of these questions are new, but his piece reinforces that we don’t quite know what IoT is and how some of its technical questions will be addressed. It’s likely that standardisation or industry practice and adoption around certain protocols and practices will answer some of these questions in due course. As a matter of public policy we may see law makers intervene to shape some of these standards or drive particular kinds of adoption. There will be multiple answers to the “what is IoT?” question for some time. I suspect in time different flavours and business models will come to the fore. Remember when every cloud seminar spent the first 15 minute defining cloud models and reiterating extrapolations for the future size of the cloud market? Brace yourselves!

I’ve been making the same points about “cloud” for the past 5 years – like cloud the IoT is a fungible concept. So, as with cloud, don’t assume IoT has definitive meaning. As with cloud, don’t expect there is any specific Internet of Things law (yet?). As Part 2 of this piece will discuss, law makers have spotted there’s something new which may need regulatory intervention to cultivate it for the good of all but they’ve also realised  that there’s something which may grow with negative consequences – something that may need to be brought into check. Privacy concerns particularly have raised their head early and we’ve seen early EU guidance in an opinion from the Article 29 Working Party, but there is still no specific IoT law. How can there be when there is still little definition?

Realities of a converged world

For some time we’ve been excited about the convergence of people, business and things. Gartner reminds us that “[t]he Internet of Things and the concept of blurring the physical and virtual worlds are strong concepts in this stage. Physical assets become digitalized and become equal actors in the business value chain alongside already-digital entities“.   In other words; a land of opportunity but an ill-defined “blur” of technology and what is real and merely conceptual within our digital age.

Of course the IoT world is also a world bumping up against connectivity, the cloud and mobility. Of course there are instances of IoT out there today. Or are there? As with anything that’s emerging the terminology and definition of the Internet of Things is emerging too. Yes there is a pervasiveness of devices, yes some of these devices connect and communicate, and yes devices that were not necessarily designed to interact are communicating, but are these examples of the Internet of Things? Break these models down into constituent parts for applied legal thought and does it necessarily matter?

Philosophical, but for a reason

My point? As with any complex technological evolution, as lawyers we cannot apply laws, negotiate contracts or assess risk or the consequences for privacy without a proper understanding of the complex ecosystem we’re applying these concepts to. Privacy consequences cannot be assessed in isolation and without considering how the devices, technology and data actually interact. Be aware that the IoT badge means nothing legally and probably conveys little factual information around “how” something works. It’s important to ask questions. Important not to assume.

In Part 2 of this piece I will discuss some early signs of how the law may be preparing to deal with all these emerging trends? Of course the answer is that it probably already does and it probably has the flexibility to deal with many elements of IoT yet to emerge.