June 8, 2017

IoT is a Minefield for Data Privacy, Information Security and eDiscovery

4 minute read

The Internet of Things (IoT) has exploded in the last few years. From thermostats to cars, thousands of items can now collect, store and transmit data. The question many general counsel are asking is how does this affect data privacy, information security and eDiscovery?

IoT technology is increasingly being used by businesses. Smart manufacturing uses IoT to track assets, monitor inventory and automate factories. Health care providers use IoT technology to track pharmaceuticals, monitor patients’ health and send information to doctors. And utilities use smart grid technology to gather data regarding power use and outages.

While this ability to send and receive data provides powerful tools to improve consumer experience and gather information about consumer behavior, IoT presents several information governance and discovery challenges concerning data privacy, information security, and data preservation and extraction.

There are three main areas of concern: Data Privacy, Information Security, and eDiscovery.

Data Privacy

The data collected by these IoT devices may be subject to privacy regulations and there must be a clear understanding about the expectations of privacy with this data. Voice-controlled devices such as the Amazon Echo can record conversations that consumers may expect to be private. In fact, there is a recent case where the Echo is potentially being called as a "witness" in a murder trial! Additionally, devices with video cameras may be recording in the background without the user having to press record.

On top of that many IoT devices record and store data such as location, payment details, health data or other Personally Identifiable Information (PII). It is also critical to know where and how this data is stored as that could invoke state or federal data privacy laws.

To mitigate the risks associated with the inadvertent disclosure of private information, best practices include establishing consent, use and disclosure policies regarding the collection, storage and use of data and minimizing the collection and use of PII. This is applicable for business use as well when it comes to client information that may be part of the IoT ecosystem.

Information Security

IoT devices unfortunately also present a tremendous information security risk. Hackers can target these devices and gain access to not only the data on the device itself but possibly the larger IoT network of the organization. This could obviously have devastating effects.

To guard against these attacks, IoT devices should be held to the same standard of security as a laptop, smartphone or server. Just because there isn't a screen or a keyboard, doesn't mean it isn't a vulnerable endpoint. A detailed risk assessment with IT is a requirement.

On top of all that, this data should of course be governed like any other and be a part of your organization's information governance program. Managing the front line security is a key piece to security but it is also crucial that govern the data properly while it is being stored. This will help prevent risky Redundant, Obsolete and Trivial (ROT) data from accumulating.


Similar to traditional forms of electronically stored information (ESI), pertinent information from an IoT device will be discoverable during litigation. eDiscovery on IoT devices presents some unique challenges, which include the relationship of the data owner to the litigation, the ability to produce the data in a usable format, separating relevant information from the massive amounts of data collected and maintaining confidentiality. 

The data collected on an IoT device may live on the device only temporarily due to storage restrictions. From there, it is often transferred to the cloud or a remote server. These servers are commonly third-party, which presents some potential intricacies. The data may technically be in the possession of the service provider, the device manufacturer maintains control over the data for purposes of triggering preservation obligations under the Federal Rules of Civil Procedure or state law procedures.

As part of a comprehensive information governance program, organizations considering the use of a third-party data storage provider should evaluate the service provider’s ability to comply with company data retention policies, including the preservation of data, and to retrieve and deliver company data when necessary.

Now What?

The takeaway from all of this is that IoT devices must be treated like any other endpoint and the data they generate must be included when assessing your organization's information governance program. 

Receive News Updates As Soon As They Happen