Last week in JD Supra I wrote about How the ‘Internet of Things’ Will Impact Data Security and Privacy. In the post, I noted some of the challenges associated with putting customer data in the cloud, which will likely be the final repository for enabling technologies such as mobile phones, sensors and actuators, RFID, etc. In just a single day, we will leave digital footprints that track data about our preferences and decisions, from grocery shopping to FitBit data to where we have parked our cars and for how long.
While the benefits of a world where our physical objects are integrated into the information network promise to bring greater efficiencies and decision-making, data security and privacy issues are no doubt at the forefront as real and significant threats in this ‘Internet of Things.’ There is no better illustration than the recent spate of cyberattacks and data breaches that have put the spotlight on the risks of failing to protect sensitive information.
Given the ubiquity of the ‘Internet of Things,’ it’s likely just a matter of time until litigious issues over devices that comprise the ‘Internet of Things’ arise. (By way of example, last September the FTC charged TRENDNet, a company that manufacturers video cameras designed to allow consumers to monitor their homes remotely, with lax security practices that “exposed the private lives of hundreds of consumers to public viewing on the Internet.”)
Knowing that litigation and regulatory enforcement actions are possible, what does this mean for the practice of law, and e-discovery in particular, when it comes to safeguarding data? First, it means that there are troves of data that previously may not have been considered that are in the custody of your clients or third parties. Second, e-discovery practitioners will need to get up to speed quickly on what new questions to ask clients about their data that is collected and stored.
Drawing parallels to security and privacy issues in an e-discovery context, in which data for review oftentimes is stored in the cloud, there are some very real considerations for e-discovery practitioners as it relates to data security and privacy:
- Who ultimately owns the data?
- How will that data be shared?
- Where is the data being stored – is it a public or private cloud? Are stringent security mechanisms in place, such as ISO 27001 certification?
- Who has access to your data and under what conditions and authorizations?
- Is there continuous chain of custody, or are there risks that data may make a number of “stops” (and how secure are they?) before sitting in its final repository?
- Is the data encrypted?
There is not a lot of precedent, and courts will be forced to rule on after the fact. Regardless, the ‘Internet of Things’ will require that practitioners get up to speed on policies and best practices to protect ever-growing volumes of data.
About the Author