Data Protection and Security as it relates to the Internet of Things
Forbes.com describes the “Internet of Things” as “the concept of basically connecting any device with an on and off switch to the Internet (and/or to each other)”. Examples of this include:
- Smartwatches such as the Apple Watch which have enabled text messaging, phone calls, and so on;
- Wearable Technology such as the Fitbit which tracks your activity, exercise, food, weight and sleep, and wirelessly transmits this data to computers and smartphones; and
- Smart Speakers such as the Amazon Echo which consists of a voice-controlled personal assistant called Alexa, which users can instruct to perform a variety of functions, such as play music, provide a weather report, get sport’s scores, order an Uber, and more.
According to popular belief, the use Internet of Things devices is expected to become only more pervasive with time, with the concept of smart cities and smart homes rising in popularity.
From a data protection and security perspective, some risks may be present when using Internet of Things devices, such as the following:
- A lack of built-in security in Internet of Things devices;
- Susceptibility to hacking as the copious amounts of data generated by Internet of Things devices opens up more entry points for hackers;
- Spying by companies using Internet of Things devices in order to obtain consumer behaviour data, for example, insurance companies accessing health information which may be used to make decisions about premiums;
- Commercial spying by competitors to unlawfully acquire business information in order to obtain a competitive advantage; and
- Software applications and network connections used in conjunction with Internet of Things devices may lack security.
Due to the fact that sensitive information is often shared by Internet of Things devices, it is important to consider whether the convenience brought about by their use justifies the risks inherent therein.
It is also important for Internet of Things devices to comply with the law. The Protection of Personal Information Act No. 4 of 2013 (“POPI”) has been signed into law and will be effective soon. POPI regulates the processing of personal information in a manner that gives effect to the right to privacy.
POPI requires that businesses making Internet of Things devices take appropriate, reasonable, technical and organisational measures to prevent loss of, damage to, or unauthorised destruction of, personal information as well as unlawful access to, or collection, retention, dissemination or use of personal information of personal information. In doing so, businesses must:
- Identify all reasonably foreseeable internal and external risks to personal information in its possession or under its control;
- Establish and maintain appropriate safeguards against the risks identified;
- Regularly verify that the safeguards are effectively implemented; and
- Ensure that the safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards.
Businesses manufacturing Internet of Things devices have a duty to have due regard to generally accepted information security practices and procedures which may apply to them generally or which are required in terms of specific industry or professional rules and regulations which may be applicable to them.
Additionally, where there has been a known data breach or if there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person, the business must notify the Information Regulator and any party whose information was so accessed or acquired.
It is clear that the law requires security to be built in to Internet of Things devices as well as into software applications and network connections that link to the devices. To overlook this could result in severe penalties being imposed on the business in terms of POPI.