One of the most interesting transformations happening in the world is the adoption of IOT – internet of things - Automation (control) and monitoring of all things in our daily use by connecting these activities to the internet. Already existing real life cases include monitoring of automobiles’ health by auto companies, security monitoring and regulating home appliances, patient health monitoring etc.
IOT is achieved by connecting devices to the internet – these devices can store, process, and transfer a large amount of data. A lot of this data can potentially be personal data related to health, profile, personal activities etc. Also, the manipulation of the data in these devices can lead to severe consequences to public health, safety, and security. For example, a man in the middle attack on a patient health monitor can lead to wrong information relayed between patient’s device, leading to delayed or no action to potentially severe health fluctuations, which can even lead to the death of the patient. Similar breach on IOT systems controlling larger populace can have more diabolical consequences.
On the other side of the coin, there is no doubt that the data in IOT devices provide tremendous potential for marketers as well as consumers. IOT can essentially help provide customized services for consumers having any footprint on IOT. At the same time, IOT data can also help risk-based companies such as insurance to profile and price individuals on the basis of their historical data recorded over IOT.
As can be concluded from aforementioned, the data at play in IOT devices is sensitive and personal. And as per a recent study by Cisco Systems, we will have well over 50 billion IOT devices by 2020. And the growth in the penetration of these devices will not cease in the foreseeable future. So, it brings forward the question – how to ensure the security and privacy of the data. Also, with global regulators strengthening privacy controls and penalties, it has become pertinent to ensure data privacy in IOT devices and communications. This brings us to the conflicting world of thought between business value creation and business risk mitigation. How do the IOT manufacturers, suppliers, and vendors ensure that IOT can be leveraged for its data and yet the privacy of individuals not breached?
The way to solving the jigsaw puzzle of data privacy in IOT is to ensure that all stakeholders involved are responsible for their part. This will be a win-win for both consumers/ end users as well for service providers. Firstly and importantly, it will ensure the protection of individual data. At the same time, businesses will be protected against regulatory, reputational and revenue risks. Some of the recommendations for IOT device and application developers are to ensure lawfulness of data processing, ensure adequate and explicit notice and consent mechanisms, perform privacy impact assessments, vendor risk assessments, ensure right of individuals to their data - portability, correction, erasure etc., classify data and apply principles of privacy by design and by default, develop breach notification and management systems.
Essentially, ensure transparency, control of personal data to data subjects (whose data is collected), data processors and controllers (parties collecting and processing the data). At the same time create value for businesses as well as consumers while making relevant parties accountable for private data.
Authored By - Indranil Chakravorty
TCS Enterprise Security and Risk Management