FTC says data and privacy are top security concerns

Enterprises need to address privacy issues when dealing with security issues.

CAMBRIDGE, Mass. -- While IT professionals are asking how to secure devices, networks, and platforms, policy makers are asking how to secure data and privacy. The Internet of Things (IoT) and the Security of Things (SecT) share the goal of allowing innovation to flourish , but are developers as concerned with securing data and devices?

Policy makers, academics, and innovators came together last week to discuss “Security, Privacy and the IoT: A Policy Perspective” at the second annual Security of Things forum hosted by The Security Ledger and Christian Science Monitor Passcode in Cambridge, Mass.

Julie Brill, commissioner, Federal Trade Commission (FTC), said “The state of things in Washington around policy for IoT is a schizophrenic approach.” Brill recognized the opportunity for improving lives in terms of health and transportation, but also noted that there are privacy concerns that need to be addressed.

“Everyone wants to ensure that there is the opportunity for innovation to flourish, but there is also a desire to ensure the intimate collection of information is protected,” Brill said. For the FTC, the trick to creating policy is that they have to take an approach that allows for continued development and invention but also provides for the security of data and the security of privacy.

“Job number one,” Brill said, “is the security of privacy.” Referencing a 2014 study by Hewlett Packard, Brill noted that 90 percent of connected devices are collecting personal information and 70 percent of that information flows over unencrypted networks.

Because privacy is important, Brill said, “We need to figure out how to deal with security issues when addressing privacy issues.” Patching vulnerabilities doesn’t necessarily make a device or the data it collects more secure.

For larger companies, the idea of pushing through patches might not be an economic burden, but for startups or smaller developers that find vulnerabilities, pushing through patches can be costly. Brill noted, “They are going to worry about patching.” Instead, they might release a newer version, but that earlier version with the vulnerability is still insecure.

“The answer is not IoT legislation,” said Brill. “We need data security legislation."

Peter Lefkowitz, chief privacy and data protection counsel and chief privacy officer, GE agreed. “From a corporate perspective, security is job one.”

Julie Brill, commissioner, Federal Trade Commission

For GE, which has come out with everything from light bulbs to wind turbines and connected medical devices, Lefkowitz recognized, “The FDA came out with guidelines for medical devices, and god help the company that doesn’t follow them.”

The larger and more important message for Lefkowitz is to make sure that there is an understanding of the value and impact of connected devices. “These are incredible areas of development for society, and there is a much more complicated discussion to make sure we get it right,” said Lefkowitz.

Andrea Matwyshyn, professor of Law at Northeastern University and Microsoft Visiting Professor at Princeton’s Center for Information Technology Policy, said, “Security enables good functionality and consumer trust, but we need a regulatory scalpel, not a regulatory ax.”

Regulations can ensure better quality, functionality, security, and privacy, but Matwyshyn warned, “Some regulation can be damaging. When we start to apply a heavier lens, we’re disrupting innovation.”

Arguing for diversity in the marketplace, Matwyshyn raised the question of technology suitability. “Just because we can add Bluetooth or WiFi doesn’t mean it’s optimal. There are consumers that don’t want the most advanced highly connected device.”

While Matwyshyn argued that fewer connected devices is a market opportunity, the IoT has infiltrated itself into our society, and the latest innovations—whether needed or not—are in high demand. In order to secure the data and the devices, information sharing needs to change.

“One key focus is the idea of information sharing,” said Matwyshyn. “The average quality of security advisories is not good. We need information rich security advisories.”

Failing to provide reasonable security could result in trouble with the FTC for enterprises, trouble that companies have been dealing with since long before the explosion of IoT. Brill spoke of a recent case that came out of the 3rd circuit ruling that the FTC has the authority to prohibit unfair acts in commerce if a company fails to provide reasonable security.

The courts have established that it is reasonable to expect companies are protecting data and privacy, which means that developers need to do more to protect privacy and security by design. To that end, the FTC has started a new enterprise education initiative to educate businesses on promoting good data and privacy security practices.

Seal programs like those available through United Labs, a safety consulting and certification company, are one way to bring greater awareness of privacy and security to the enterprise, but Brill argued, “It needs to be a real program and a good program. There is also a role for self-regulation.”

For many businesses, staying out of the headlines is motivation enough to self-regulate. Lefkowitz said, “If there is a breach of a product or a device, my first concern is not the FTC. It’s the front page of the Wall Street Journal.”

Lefkowitz argued that there is a really important place in the IoT for certification and seal programs. “When putting out a baby monitor, is it important to have a seal? Yes. But GE is putting out airplane engines.” Does a seal really mean anything when it is stamped on an engine or a wind turbine?

GE is a company betwixt the world of old and new, as it has successfully transitioned to a company that is putting out connected devices. Though they’ve been in the space a long time, the industrial internet has brought attention to its newer more connected devices. “We’ve developed internal standards, and there is the ongoing paranoia about oopsies,” said Lefkowitz.

Yes, oopsies. Making the headlines, data leaving the network. Whatever euphemism businesses chose, they are referring to the potential of being breached. That ongoing paranoia can be productive if it provokes dialogue and raises awareness.

In talking about the things that could go wrong, the moderator and editor in chief at The Security Ledger, Paul Roberts asked whether technology in devices should have an expiration date. Matwyshyn argued, “A limited expiration is not viable since vulnerabilities can be found by third parties on day one.”

Lefkowitz suggested that depending on the device functionality, data collection can be, “allow unless you prohibit or prohibit unless you allow.”

The conversations about data and privacy security in IoT are ongoing as are the number of detected vulnerabilities. Between the regulatory concerns and consumer confidence, businesses need to look at their established standards and rely on third-party audits and security researchers to protect themselves.

Join the CSO newsletter!

Error: Please check your email address.

Tags Internet of Things

More about CSOFederal Trade CommissionFTCGEHewlett PackardMicrosoftRobertsTechnologyWall Street

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Kacy Zurkus

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place