From the FTC’s new report on the Internet of Things [pdf]:
IoT presents a variety of potential security risks that could be exploited to harm consumers by: (1) enabling unauthorized access and misuse of personal information; (2) facilitating attacks on other systems; and (3) creating risks to personal safety. …[P] rivacy risks may flow from the collection of personal information, habits, locations, and physical conditions over time… companies might use this data to make credit, insurance, and employment decisions.
- build security into devices at the outset, rather than as an afterthought in the design process;
- train employees about the importance of security, and ensure that security is managed at an appropriate level in the organization;
- ensure that when outside service providers are hired, that those providers are capable of maintaining reasonable security, and provide reasonable oversight of the providers;
- when a security risk is identified, consider a “defense-in-depth” strategy whereby multiple layers of security may be used to defend against a particular risk;
- consider measures to keep unauthorized users from accessing a consumer’s device, data, or personal information stored on the network;
- monitor connected devices throughout their expected life cycle, and where feasible, provide security patches to cover known risks.
The report and FTC’s press release is here.
As usual, Jules Polonetsky and Christopher Wolf at the Future of Privacy Forum have thoughtful comments, which can be found here.