Michael Cox, CIPP/US

Paul Boulanger, CIPP/US, CISSP, CIPT, CCSK

Privacy Implications While Building the IoT

2

Michael Cox, CIPP/US

Part-time Chief Privacy Officer, Pathway Genomics Corp. President and Founder, SoCal Privacy Consultants Previous experience

VP of Enterprise Risk Management, Goal Financial Business Risk Officer, Capital One Auto Finance VP of Operations – multiple organizations, including 2

Fortune 200 companies Certified Information Privacy Professional (CIPP/US) Member, International Association of Privacy Professionals

(IAPP) Member, IAPP Professional Privacy Faculty Member, two privacy think-tank groups, Lares Institute Co-author, Security chapter for HIMSS Good Informatics

Practices (GIP) Frequent speaker on privacy and security subjects B.S., Business Administration, Virginia Tech

Paul Boulanger, CIPP/US, CIPT, CISSP, CCSK

Part-time Information Security Officer, Pathway Genomics Vice President, SoCal Privacy Consultants Previous experience

CTO/Co-Founder, Sea Networks, Inc. Sr. Internet Engineer, Nextleft Instructor of Microsoft Certified Systems Engineer class for

DoD personnel retraining at San Diego State University Certified Information Privacy Professional (CIPP/US) Certified Information Privacy Technologist (CIPT) Certified Information Systems Security Professional (CISSP) Certificate of Cloud Security Knowledge (CCSK) Member, International Association of Privacy Professionals

(IAPP) Proud member of InfraGard and Infrastructure Liaison Officer Computer Science, University of California at San Diego

SoCal Privacy Consultants Private and public customer-centric organizations in health care, technology services, financial services, Internet, Big Data, etc. Conducts gap assessments and establishes lean, sustainable and legally defensible privacy and security programs for partners,

service providers, and M&A buyers and sellers For an FTC consent order client, established multi-state information security programs and help pass four consecutive satisfactory

biennial audits certifying compliance to the order Contact information: info@socalprivacy.com or (619) 318-1263

BIOs: Six+ years of working together

3

Markets Health care Financial services Retail Technology service providers Internet company Big Data company Others _________________

What markets are represented here?

Organizations Public (vs. Private)

International (vs. Domestic)

Participants CIOs / CTOs CPOs / CROs CISOs / CSOs Others

Introduction to IoT

Refers to “things” such as devices or sensors – other than computers, smartphones, or tablets – that connect, communicate or transmit information with or between each other through the Internet (FTC’s definition)

E.g. refrigerators connected to online delivery services

This “disruptive” technology has only scratched the surface of what “machine-to-machine” (M2M) interconnectivity can achieve

Human-to-human (H2H) Human-to-thing (H2T) Thing-to-thing (T2T) Thing-to-things (T2Ts)

Internet of Things (IoT)

5

Smartphones

Smart apps

Sensor technology sophistication and low cost

IPv6

Wi-Fi and broadband connectivity is ubiquitous

Big Data processing technology – large volumes in real time

Cloud storage capacity is growing rapidly

The Internet of Things: Brave New World – Morrison & Foerster, June 2015http://www.mofo.com/~/media/Files/ClientAlert/2015/06/150619TheInternetofThings.pdf

6

Key Factors for harnessing M2M Connectivity

IoT offers numerous and transformative benefits for organizations to generate new sources of revenue, and improve effectiveness and efficiencies to increase profits and lower costs, and for consumers to keep us healthier, reduce energy needs, and increase productivity

IoT is far bigger than most realize

Consumer Business Government

Wearables, e.g. smart fitness device

Connected health, e.g. smart, remote monitoring medical devices

Smart TV, e.g. downloadable video-on-demand

Connected car, e.g. smart navigation

Smart home, e.g. smart thermostat

Smart retail, e.g. proximity-based advertising

Smart farming, e.g. livestock monitoring

Smart supply chain, e.g. smart inventory tracking & ordering

Industrial Internet, e.g. intelligent buildings

Smart grid, e.g. smart electrical grid

Smart city, e.g. traffic management

Smart supply chain, e.g. smart inventory tracking & ordering

Industrial Internet, e.g. intelligent buildings

Smart grid, e.g. smart electrical grid

“Ubiquitous”

Determine who will be organizationally responsible for the development and implementation of the IoT solution. What role will the CIO play?

Identify the IoT solution requirements Device and infrastructure management platform to operate software on devices

remotely Data filtering thresholds and configurations to ensure only relevant data is processed Analytics platform to manage and derive benefits of huge data streams in real time Integration through connectors that enable applications to collect and analyze data

in two way communication with remote sensors Privacy must be baked into customer privacy notices and data privacy lifecyle

practices consistent with the notice Security must be architected in early to avoid inherent vulnerabilities that can be

exploited

Consider future flexibility and technology compatibility in a rapidly evolving industry, e.g. to leverage same sensor network and data infrastructure for multiple applications

8

Key elements for harnessing IoT Benefits”Trustworthy” and “legally defensible” are part of providing consumer & company benefits

The Internet of Things: Brave New World – Morrison & Foerster, June 2015http://www.mofo.com/~/media/Files/ClientAlert/2015/06/150619TheInternetofThings.pdf

Value of Privacy and Security

What’s the difference between the two?

10

• Is about individual rights and choices around the data privacy lifecycle

• Requires information governance around PII• Onward transfer (x-border transfer rules), notice/consent-choice,

collection, purpose/use, access/availability/correction/quality, disclosure/sharing/transfer, storage/retention and secure disposal

• Includes security of PII• Administrative, physical, and technical controls

What is Privacy?

11

Data controller defines the data collected and is responsible throughout the delivery chain

Role Accountability Examples

Data owner Customer / patient

Data controller

Trusted organization IoT consumer product

Data processor

3rd Party Service Providers

IoT infrastructure, CSP

You can outsource functions and activities, but not responsibility!

You need to manage the entire eco-system to include 3rd party Service Providers

You can’t just sign a contract and assume you are protected

Customers are data owners with certain rights and their data has value.

They provide data to trusted organizations expected to protect it and respect their rights.

Accountability

12

Enhancing revenue generation through Privacy/Security-by-Design of products, services, systems, technologies and practices that establish and reinforce brand trust and enable business development opportunities this is about “Trust Economics” which we’ll discuss next

Protecting company value by avoiding costly regulatory actions and penalties, lawsuits, lost business and sales, lost brand value, disruptive productivity losses, other financial impacts, and D&O liability this is about achieving “Legal Defensibility” which we will also discuss

Data Innovation Pledge: “I will promote the Ethical and Innovative Use of Data to improve people’s lives”

Privacy creates business value by:

13

“… trust … would explain basically all the difference between the per capita income of the U.S. and Somalia”

Trust is necessary for the success of economic transactions, but is perishable

M&A / IPOs: affect valuations / ability to raise capital (top VC recently hired a CPO) SEC concerned about impact of trust on public markets requires material risk disclosures in 10K

66% of consumers want reassurance rather than be inspired by brands (Edelman's 1st annual Earned Brand study 2015)

87% of consumers concerns re: impact on privacy, environment and security will stop them from purchasing

75% of consumers turn to peers to inform purchase decisions, overcome concerns, warn of risks Direct correlation between trust and business gains (The Altimeter Group’s report)

80% of consumers said in the last 12 months they bought products from trusted companies 68% recommended the company to a friend and 54% paid more for a trusted company’s products

Enabling privacy earns companies a reputation as a responsible innovator Brands need to be much clearer over how and why data is collected to gain trust (DMA report)

─ Through transparent privacy policies, customer choices (opt-ins/outs), etc. Provide a reassuring customer experience that privacy is honored and protected

─ By avoiding creepiness, e.g. persistent surveillance, data collection with no customer benefit ─ Using encryption, avoiding persistent cookies, etc.

For innovation to benefit consumers, it cannot destroy privacy

Privacy is part of the trust equation fueling innovation and growth Differentiate by reassuring privacy, rather than a “me too” attitude of others do it Reinforce trust through our promises, communications and operations (experience) Achieve business objectives by avoiding adverse impacts of breaches

Trust Economics

14

Avoids major business disruptions and breach costs

Check-the-box compliance is not defensible Standards establish a minimum baseline, but are not enough

Standards cannot keep up with emerging threats, new technologies, changing laws/regulations, and guidance/enforcement actions

Privacy/Security-by-Design: repeatable risk management that builds and preserves long-term value When, not if – presumption that:

R Breach will occur

R Will be subject to legal proceedings to defend company and its assets

Able to make legally sound, compelling arguments from view of a plaintiff’s attorney/judge/jury/regulator that we’ve done everything reasonable1

Institutionalize ownership of and accountability for risks (governance by “resource2 owners”)R Anticipate foreseeable risks continuously

R Design reasonable controls to mitigate privacy risks

R Implement and test controls, prior to roll-out

R Monitor controls to determine risk mitigation effectiveness and continuously strengthen posture as risk profile changes

1. VB DRIR’s 96-98% objective

2. Resources – products, services, processes, applications, databases, systems, technologies, service providers/partners

Privacy/Security-by-design enables Legal Defensibility

15

Question: Why are so many “compliant organizations” suffering breaches and then also resulting regulatory fines and enforcement actions, class action lawsuits, and adverse brand and equity impacts?

Answer: 1. Treating privacy and security strictly as a compliance risk

2. Underestimating the risk or not aware they are assuming a risk

3. Not implementing governance, ownership for risk (in the right context), and oversight

4. Not pursuing a risk-based, legally defensible strategy

Why is there this seemingly endless parade of breaches?

People want to feel safe and secure

* MasterCard’s Emotions of Safety & Security Survey conducted by Braun Research between 5/8/15 and 5/12/15.

People want to feel safe and secure

* MasterCard’s Emotions of Safety & Security Survey conducted by Braun Research between 5/8/15 and 5/12/15.

Internet of Cars (as an example)

19

A few fits and starts as cars become connected -

Accidental Jeep

http://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/

Looking at IoC “Internet of Cars”

20

JEEPJuly 2015

21

A few fits and starts as cars become connected -

Accidental Jeep

http://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/

Progressive Insurance Snapshot device that plugs into the OBD-II port connects the car to cellular Snapshot devices communicate with Progressive over the cellular network in

plain text. This means that an attacker could pretty easily set up a fake cell tower and perform a man-in-the-middle attack.

Looking at IoC “Internet of Cars”

22

A few fits and starts as cars become connected -

Accidental Jeep

http://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/

Progressive Insurance Snapshot device that plugs into the OBD-II port connects the car to cellular Snapshot devices communicate with Progressive over the cellular network in

plain text. This means that an attacker could pretty easily set up a fake cell tower and perform a man-in-the-middle attack.

Intentional Volkswagen

Choose to include code to detect when it was being smog tested and run clean

Looking at IoC “Internet of Cars”

Public service announcement IDs risks with examples and provides recommendations:

As more businesses and homeowners use web-connected devices to enhance company efficiency or lifestyle conveniences, their connection to the Internet also increases the target space for malicious cyber actors. Similar to other computing devices, like computers or Smartphones, IoT devices also pose security risks to consumers. The FBI is warning companies and the general public to be aware of IoT vulnerabilities cybercriminals could exploit, and offers some tips on mitigating those cyber threats.

http://www.ic3.gov/media/2015/150910.aspx

FBI: IoT poses opportunities for cyber crime

25

From Jim Hunter (@theiotguru)

http://techcrunch.com/2015/09/05/the-hierarchy-of-iot-thing-needs/

IoT: “Digital Evermore” (Tom Ridge)

‘Internet of Things’ connected devices to almost triple to over 38 Billion units by 2020.

-- Juniper Research

• How will these be designed?• How will these be patched?• How to disclose if the user has the ability to remove or

make anonymous all personal data upon discontinuing device or device end-of-life?

• How to publishing a timeframe for support after the device/app is discontinued or replaced by newer version?

Will customers / end-users even know what risks they are taking?

Will they have a choice?

27

Has there been any IoT enforcement actions?

What triggers this?What are the implications

This is what the FTC uses to prosecute privacy and security violations.

Trade Practice or Act

Definition Example

Unfair

Where practice or act causes or likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.

Stolen data in motion or at rest was not encrypted

Deceptive

Where a representation, omission, or practice misleads or is likely to mislead the consumer; a consumer’s interpretation of the representation, omission, or practice is considered reasonable under the circumstances; and the misleading representation, omission, or practice is material.

Privacy or security practice is not consistent with the customer privacy notice, e.g. data is not encrypted

29

Section 5 of the Federal Trade Commission Act

FTC’s early warning to IoT developers of readiness to bring actions for lack of security

TRENDnet’s faulty software left sensitive consumer information - video and audio feeds - from its home security cameras, open to online viewing by anyone with the camera’s Internet address.

When a hacker exploited this flaw and posted links to the live feeds to certain cameras (including babies asleep in their cribs and young children playing).

Company did not have a way to repair the security flaw without forcing users to visit the website and download a software patch.

30

First IoT FTC 20 year Consent Order: 2014

31

20 year consent order CEO will likely want another executive to sign the order, e.g. GC, CFO, or CIO/CTO

A copy of the order must be delivered to / receipt acknowledged by all current / future: subsidiaries, principals, officers, directors, managers, employees, agents, and representatives having responsibilities relating to the order

Increased cost of compliance Provide 30 days notice of change to corp., e.g., dissolution, assignment, sale, merger or like action

Within 90 days of order, provide a report of compliance to the order Respond within 10 days to additional information requests

Expensive independent biennial audits by CISSP, CISA, or GIAC (cannot be CPA)

Demonstrate compliance on any given day during biennial period

Retain specified compliance documentation for a period of 5 years Any documents that “contradict, qualify, or call into question compliance with” the order; risk

assessments; consumer complaints; plans, reports, studies, reviews, audits, audit trails, training materials, & assessments; statements disseminated to consumers re: privacy/security

Compliance is elevated due to: FTC expectations, e.g. privacy/security training occurs prior to providing new hires access to PII

Being on the FTC’s radar screen and wanting to avoid another breach

FTC Consent Order Client Impacts

Enforcement actions help establish “reasonable standards” Fandango and Credit Karma disabled SSL during the testing and did not re-

enable before release Their FTC 20 year consent orders provide guidance on mobile app security

program requirements1 that equally apply to IoT as well

FTC has also encouraged State AGs to monitor the IoT industry and bring their own enforcement actions for privacy and security breaches under general state laws Expect CA, CT, MA, NY and others to be active enforcers

Consumer class action plaintiffs and attorneys are also paying attention

U.S. and EU have recently agreed to jointly actively enforce to protect the others residents (result of ECJ invalidating Safe Harbor)

1. http://www.dataprivacymonitor.com/mobile-privacy/ftc-final-orders-with-fandango-and-credit-karma-provide-guidance-on-mobile-app-security/

32

Be aware of. . .

IoT Guidance and Standards

A common complaint is that there are no standardsfor this nascent industry, however this is simply not true.

We’ll start with the FTC’s report: “Internet of Things: Privacy & Securityin a Connected World” published in January 2015

Like cloud, there will be early adopters and failures before the IoT industry matures

Direct collection of PII

Allows 3rd parties to have access to PII collected over time to analyze & infer things Could be used to make credit, insurance, & employment decisions and

make unwelcome marketing pitches

May allow remote eavesdropping

Could undermine consumer confidence re: such technologies

https://www.ftc.gov/system/files/documents/reports/federal-trade-commission-staff-report-november-2013-workshop-entitled-internet-things-privacy/150127iotrpt.pdf 34

IoT Privacy Risks identified by the FTC

Data Minimization

Reasonably limit collection and retention of consumer data (for two

reasons), then dispose of once no longer needed Larger data stores present a more attractive target for data thieves Increased risk the data will be used in a way that departs from

consumers’ reasonable expectations

Flexible approach options Decide not to collect data at all Collect only the data necessary to product or service being offered Collect less sensitive data or de-identify the data collected Seek consumers’ consent for collecting additional, unexpected data

https://www.ftc.gov/system/files/documents/reports/federal-trade-commission-staff-report-november-2013-workshop-entitled-internet-things-privacy/150127iotrpt.pdf 35

FTC’s Recommended IoT Privacy Practices

Notice and Choice If no consumer interface screen, it will not be sufficient to simply have a privacy

policy available on a website and expect consumers to find it Privacy choices should be clear and prominent, especially for sensitive PII and

where unexpected use or sharing relative to “context” (more flexible than EU)

Find ways to present meaningful privacy notices and choices to the consumer, including in the set-up or purchase of the product itself using a combination of approaches, such as: Offer video tutorials to guide consumers through privacy settings Affix QR code or similar barcodes that, when scanned, take a the consumer to a website

with information about privacy practices, and enable choices through website interface Use a privacy portal or dashboard

o Offer a set-up wizard that provides information about privacy practiceso Allow users to configure devices, e,g., home appliances, so that they receive information through emails

or textso Create a user experience “hub” that stores data locally and learns a consumer’s privacy preferences

based on prior behaviorhttps://www.ftc.gov/system/files/documents/reports/federal-trade-commission-staff-report-november-2013-workshop-entitled-internet-things-privacy/150127iotrpt.pdf 36

FTC’s Recommended IoT Privacy Practices

“Inadequate security presents the greatest risk of actual consumer harm in the Internet of Things.”

Could enable unauthorized access and misuse of personal information Iot risk is heightened by the plethora of devices to be connected and secured

May facilitate attacks on the consumer’s network or enable attacks on other systems

May present a heightened risk of harm to personal safety E.g., hack into smart medical device, change settings, and impede therapeutic

function

Risks are exacerbated because market entrants may not have privacy and security experience, or may create inexpensive devices which may be difficult or impossible to patch for security vulnerabilities “G.E. The Digital Company”

https://www.ftc.gov/system/files/documents/reports/federal-trade-commission-staff-report-november-2013-workshop-entitled-internet-things-privacy/150127iotrpt.pdf 37

IoT Security Risks identified by the FTC

Reasonable security depends on a number of factors, including amount and sensitivity of data collected

Build security into devices at the outset (security-by-design with smart defaults)R Conduct security risk assessment

R Minimize data collected and retained

R Test security measures before product launch

Train all employees about good security, and ensure that security issues are addressed at the appropriate level of responsibility within the organization

Select / retain service providers that are capable of maintaining reasonable security and providing reasonable oversight (monitor)

Implement a defense-in-depth approach for systems that involve significant risks, considering security measures at several levels

Impose reasonable RBAC measures to limit the ability of an unauthorized person to access a consumer’s device, data, or network

Continue to monitor products throughout the life cycle and, to the extent possible, patch known vulnerabilitieshttps://www.ftc.gov/system/files/documents/reports/federal-trade-commission-staff-rep

ort-november-2013-workshop-entitled-internet-things-privacy/150127iotrpt.pdf 38

FTC’s Recommended IoT Security Practices

EU Article 29 Working Party expressed these IoT concerns: Lack of control – means greater potential for automatic flow of data among devices

(& vendors) without notice to users

Additional purposes – interconnectivity may lead to use of gathered data by 3rd parties for other than original intent

Consent – because users may lack full disclosure of data flow, their consent may be inadequate

Profiling – fine-grained user monitoring & profiling could result from type of information collectable from connected devices

Limiting anonymity – more use of connected devices suggest lower likelihood for maintaining anonymity (increasing risk of re-identification)

Security – large volumes of data transferring over connected devices may lead to considerable security risks

39

Will the device be sold internationally?

Conduct a privacy impact assessment before device release

Delete raw data from device as soon as it has been extracted

Follow privacy / security-by-design principles

Provide privacy notice in user-friendly way & obtain consent or offer right to refuse

Design devices to inform both users & people interacting with them (e.g. people being recorded by a camera in a wearable technology) of the data processing by the entity providing the devise

Inform users of data that has been collected & enable them to access review & edit that data before it is transferred

Give users granular choices on the type of processing ads well as time & frequency of data gathering

http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf

40

EU Article 29 Working Party IoT recommendations

IoT ecosystem Purpose – collect only data absolutely necessary to fulfill intended

purpose (use test) Consent / Access - build in consent for sensitive data collection & use and any

PII shared with 3rd parties – annotate each data element with its purpose & who has access to it – Level 1 devices should allow a view listing of each data element collected & its intended usage

Anonymization – all data transferred & retained in encrypted & anonymized manner to prevent unauthorized access & data breaches

Separation – strict separation of data maintained both in household & enterprise data repositories, except when anonymized for trend analysis

Safeguards – Level 3 devices limited to sensing & relaying capability, & Level 2 and Level 3 devices, including intercommunication channel should be highly secure systems

41

Verizon Business 2015 DBIR(Data Breach Investigations Report)

Cisco Reference model (coined“IoT”)

http://cdn.iotwf.com/resources/71/IoT_Reference_Model_White_Paper_June_4_2014.pdf

Frameworks for building the IoT

Online fair information practices – FTC, OECD, & EU have similar versions

Transparency: Be transparent and notify individuals regarding collection, use, dissemination, and maintenance of personally identifiable information (PII).

Individual Participation: Involve the individual in the process of using PII and, to the extent practicable, seek individual consent for the collection, use, dissemination, and maintenance of PII. Organizations should also provide mechanisms for appropriate access, correction, and redress regarding use of PII.

Purpose Specification: Specifically articulate the authority that permits the collection of PII and specifically articulate the purpose or purposes for which the PII is intended to be used.

Data Minimization: Only collect PII that is directly relevant and necessary to accomplish the specified purpose(s) and only retain PII for as long as is necessary to fulfill the specified purpose(s).

Use Limitation: Use PII solely for the purpose(s) specified in the notice. Sharing PII should be for a purpose compatible with the purpose for which the PII was collected.

Data Quality and Integrity: To the extent practicable, ensure PII is accurate, relevant, timely, and complete.

Security: Protect PII (in all media) through appropriate security safeguards against risks such as loss, unauthorized access or use, destruction, modification, or unintended or inappropriate disclosure.

Accountability and Auditing: Be accountable for complying with these principles, providing training to all employees and contractors who use PII, and auditing the actual use of PII to demonstrate compliance with these principles and all applicable privacy protection requirements

National Strategy for Trusted Identities in Cyberspace: http://www.nist.gov/nstic/NSTIC-FIPPs.pdf 44

NIST Fair Information Practice Principles (FIPPs)

IoT Identity & Access Management Guidance – Sept. 30, 2015 Details 23 recommendations for implementing IAM for IoT

Security Guidance for Early Adopters of the IoTs – April 2015 Analyze privacy impacts to stakeholders & adopt Privacy-by-Design approach

to IoT development & deployment Apply secure systems engineering approach to architecting & deploying a new

IoT system Implement layered security protections to defend IoT assets Implement data protection best practices to protect sensitive information Define lifecycle security controls for IoT devices Define & implement an authentication / authorization framework for

organization’s IoT deployments Define logging & audit framework for organization’s IoT ecosystem

https://cloudsecurityalliance.org/download/identity-and-access-management-for-the-iot/https://downloads.cloudsecurityalliance.org/whitepapers/Security_Guidance_for_Early_Adopters_of_the_Internet_of_Things.pdf

45

Cloud Security Alliance’s (CSA) Guidance

v.1.1 - 38 controls | ITWG includes Microsoft, PwC, Symantec, TRUSTe, Verisign

Jan. 2015 OTA established IoT Trustworthy Working Group (ITWG) - 100 stakeholders input 2nd draft of framework published Oct. 15, 2015 (1st draft June 10, 2015) Based on FTC‘s and others’ best practices, and Fair Information Practice Principles (FIPPs) Focuses on privacy, security and sustainability (upgradability, supportability and end-of-life) for:

R home automation and connected home products

R wearable technologies, limited to health & fitness categories

Recognizes “privacy/security-by-design” must be a priority from onset of product development

section standards/controls

Security 13

User Access & Credentials 6

Privacy, Transparency & Disclosures 19

https://otalliance.org/system/files/files/initiative/documents/iot_trust_framework-draft1.3.pdf 46

Online Trust Alliance IoT Trust Framework

For device manufacturers, vendors, app developers, service providers & platform operatorsImportance varies by a) connected home & b) wearable tech

Security User Access & Credentials

1. Encryption at rest & in transit2. Password hashed / encrypted3. Always on SSL/TPS4. Server security & pen tests5. Email authentication protocols6. Email DMARC reject policy7. Email message integrity & privacy8. Confirm no code vulnerabilities prior to

release9. Code hardening10. Code cryptographically signed & verified

by trusted source11. Vulnerability scans & mgmt.12. Rigorous SDLC process13. Security transmission protocols

14. User system generated passwords or secure certificate credentials

15. Password recovery & reset, using multi-factor verification where no password exists

16. Lock after invalid # of log-in attempts17. Password change following secure

authentication & email or out-of-band notification of password change

18. Breach response & consumer safety notification

19. Communication with IoT vendor re: product & service security risk issues

47

OTA’s IoT Trust Framework

For device manufacturers, vendors, app developers, service providers & platform operatorsImportance varies by a) connected home & b) wearable tech

Privacy, Transparency & Disclosures

20. Ensure adequate IoT vendor privacy & security support policies

21. Ensure compliance to global privacy regulatory requirements, e.g. COPPA, opt-ins/outs

22. Ensure privacy policies are transparent & provide history of changes

23. Disclose product support duration (beyond product warranty) mapped to device lifespan

24. Disclose how all PII are collected & used25. Disclose what functions fail if connectivity is

disabled or stopped – for home automation products, provide alternative access/use mechanism

26. Disclose in data retention policy that data retained as long as user uses device or to meet legal requirements

27. Provide visible indicator / confirmation when initially pairing / connecting with other devices

28. Provide ability to delete or make PII anonymous (except transaction history) upon discontinuing, loss or sale of device

29. Provide remote data erasure & zeroization if lost or stolen

30. Disclose how device/product/service ownership can be transferred (sell home or fitness tracker)

31. Only share PII with 3rd party with express consent, unless required for operation

32. Provide user privacy preferences controls33. Disclose commitment not to sell or

transfer PII unless sale or liquidation of core business provided current privacy policy is honored

34. Adhere to FIPPs minimal data collection35. Disclose sharing with law enforcement36. If IoT data stored in cloud, adhere to

cloud security standards37. Disclose if PII, including revealing when

home is occupied, is accessible (temperature changes & location or distance from user)

38. Provide ability to return a product without charge after reviewing the privacy notice presented prior to operation, if not consciously disclosed on package

OTA’s IoT Trust Framework

Covers all surface area: IoT device, cloud, mobile app, network interface, & software

10 Most Significant IoT Security Surface Areas

Recommendations for manufacturers, developers, and consumersOWASP IoT Top 10 - 2014 For each attack surface area:

1. Insecure Web Interface2. Insufficient

Authentication/Authorization

3. Insecure Network Services4. Lack of Transport

Encryption5. Privacy Concerns6. Insecure Cloud Interface7. Insecure Mobile Interface8. Insufficient Configurability9. Insecure

Software/Firmware10.Poor Physical Security

A description of the attack surface Threat agents Attack vectors Security weaknesses Technical impacts Business impacts Example vulnerabilities Example attacks Guidance on how to avoid the issue References to OWASP and other related

resources

https://www.owasp.org/images/7/71/Internet_of_Things_Top_Ten_2014-OWASP.pdf 49

OWASP IoT Top 10

FTC describes, “in the future, the Internet of Things is likely to meld the virtual and physical worlds together in ways that are currently difficult to comprehend”

As a result, evaluate guidance offered by the FTC and other regulators, and determine what steps you should take to mitigate those risks in the privacy and data security context

FTC Issues Landmark Report in Internet of Things, Morrison & Foerster, January 30, 2015http://www.mofo.com/~/media/Files/ClientAlert/2015/01/150130FTCReportIoT.pdf

As we build the IoT . . .

50

Can the device and ecosystem be designed and built in a sustainable manner, including addressing privacy and security risks? Federal government is increasingly requiring information technology

devices and systems to have levels of security before procurement Expect venture capitalists, investors & M&A acquirers to conduct

due diligence to better identify candidates based on risk-valuation Expect cyber risk insurers to conduct due diligence to hold the

industry accountable to newly developed standards and price the risk S-1 IPO filings must identify material risks to company value to avoid

Derivative and D&O class action law suits

Broken trust and lost opportunity takes time to rebuild

51

In Conclusion

End

53

Know how you are using a Cloud Service Provider

• Amazon EC2• Microsoft Azure• Google Compute Engine• AWS Elastic Beanstalk• Google App Engine• Force.com

• Microsoft 365• Google Apps• Salesforce.com

54

Certified, experienced privacy (CIPP, CIPT), security (CISSP), and cloud security (CCSK) professionals help you establish a legally defensible Privacy and Security Program with our 2-phased process:

Phase 1 – Gap Assessment

Create data flow, inventory, and locations map

Conduct controls evaluation of your current program against applicable regulations and standards

Perform risk assessment

Provide report of findings and prioritized roadmap for you to establish or strengthen your program

Areas of focus include HIPAA, GLBA, ISO 27002:2013, NIST Cybersecurity Framework, SEC Cybersecurity Alert, state privacy and security laws, cross-border transfer rules, Big Data and cloud strategies, mobile and IoT apps and devices, and more.

Phase 2 - Implementation

Assist with custom implementation of Phase 1 recommendations, including policies and procedures

An effective transfer of knowledge and all our tools are provided to enable you to establish a LEAN Privacy and Security Program that is sustainable and legally defensible. Our goal is always to create a raving client!

Michael Cox, CIPP mcox@socalprivacy.com

President 619.318.1263

www.SoCalPrivacy.com

Information privacy and security due diligence and programs