Connecting state and local government leaders
Before diving in head first into the world of IoT, local governments seriously consider some of the potential risks when it comes to critical matters like cybersecurity.
Editor's Note: This guest article by Maggie Pasqualone, the assistant law director for the City of Kettering, Ohio, originally appeared on Engaging Local Government Leaders and is republished here with permission of ELGL. The content contained in this blog post does not constitute the provision of legal advice. The comments and opinions expressed below are those of the individual author and may not reflect the opinions of the City of Kettering.
Maybe it’s because I’m a bit of a conspiracy theorist, or maybe it’s because I consider myself somewhat of a traditionalist, but the concept of the Internet of Things (the “IOT”) makes me want to hide under my desk. Maybe you’ve already pegged me as an old fogey, stuck in my ways, and just passing the time by yelling at neighborhood kids to stay off my lawn. Well that may be partly true, but I’m actually only thirty one, an older millennial by definition, and yes, the Internet of Things makes me want to buy a tent and live in the wilderness . . . where the robots can’t find me. It makes me want to push buttons manually, you know, the old fashioned way . . . without mind control. It makes me want to run around my house checking the potted plants for bugs, just to make sure “the man” isn’t watching.
If you’re not already aware, like I wasn’t about a week ago, when folks talk about the “Internet of Things” they mean a giant network of things or objects that are all connected to the Internet, talking to one another, collecting mountains of data, in an effort to make our lives easier or better. You might be thinking, “doesn’t that already exist?” Yes, but the IOT contemplates something so much bigger than social media and some cool apps on your phone. Think along the lines of the old cartoon, The Jetsons. Your car will be driverless, and you’ll turn it on via Facebook app. Your Ford Autobot won’t hit anything because everything in its path will be outfitted with sensors and microchips to allow it to talk to all buildings, roads, bridges, etc. You will control every aspect of your home and office, i.e. your refrigerator, garage doors, security systems, baby monitors, heating and AC, toilet, and a host of other things with your phone, your computer, or your light saber. Your child’s school, the businesses you frequent, and all other aspects of your City will be connected, collecting data, talking to one another for various purposes, knowing what you need before you even realize you need it.
Now some of you are literally salivating at this brave new world I’ve been describing because you’re thinking of all the wonderful possibilities it brings, like making daily tasks even easier, public services even faster, and the entire world generally safer, more convenient, and efficient. But as a municipal attorney, my first thoughts are not about the billion points of awesomeness that the IOT might bring.
My first thoughts focus on the billion points of policy that are probably already making a host of attorneys and risk managers want to hover board for the hills. Perhaps some of you may think of me as a “wet blanket,” “a kill joy,” “a stick in the mud,” or maybe something more creative, like the “grim reaper of all things fun, progressive, and exciting.” But before you shower me with compliments, let’s seriously consider some of the potential consequences of the IOT.
Many times, you’ll be agreeing to allow a company to use the data you produce from all your IOT devices in a myriad of ways, including sharing it with or selling it to whomever, whenever. You can see the issue with that; there will likely be many more opportunities for your financial and other very personal information to fall into the wrong hands. Keep in mind, these vulnerabilities will not just affect you personally, but all organizations that are plugged into the IOT.
The Security concern is about how vulnerable your devices are to hackers and others abusing the Internet as well as everything connected to it. According to James Lewis, a cybersecurity researcher at the Center for Strategic and International Studies, many Wi-Fi connected devices use simple processors, which make them more vulnerable to hacking than those devices with more sophisticated processors that include advanced security functions, like your PC. (2) According to Mr. Lewis, an example of one of these less secure Wi-Fi connected devices is one that is nearly ready to go on the market, the driverless car. (3) Can you imagine a world filled with driverless vehicles? Are you comfortable with your car being hacked by some stranger half way around the world who wants to mess around with your brakes? How about your child’s driverless school bus? My point in mentioning these unsettling examples is that the IOT privacy and security threats are real and have the potential to cause massive damage to all of us as individuals and as a society. Thus, the IOT must have boundaries, and the experts agree. According to Mr. Lewis, “both devices and the networks that connect them will need to be made more secure, and the government should set higher standards for more advanced gadgets that create valuable data, perform crucial functions, and produce mass effect.” (4)
So now that you’re sufficiently freaked out, join me under my desk for a small, very obvious nugget of advice. Ready for it? Embrace the policies! Be ready to draft and/or update your policies and review them annually or even more frequently to make sure they’re relevant to the changing tides.
To start, I would focus on three kinds of policies: (1) technology use policies; (2) records retention schedules; and (3) communications policies. Although perhaps titled differently, your organization likely already utilizes all three of these, and if so, a fresh look is in order.
Tip No. 1: Technology Use Policy
If you don’t already, you’ll need a very well drafted technology use policy that dictates how your employees are purchasing, using, and disposing of all connected items that your organization uses. This policy needs to define “technology” broadly so that it incorporates all things that could potentially fit into the IOT. A few key questions that might help formulate your policy are: (1) Who can and cannot use certain networks and devices? (2) What are the acceptable and prohibited uses of all the various networks and devices? (3) What are the user’s security and information protection responsibilities, including password requirements? (4) What are the procedures for purchasing and disposing of these devices, including procedures for reviewing online terms of service, disclaimers, and clickwrap agreements? (5) What should employees do, or whom should they report to, if they think there is a security or privacy breach? (6) What are the penalties for violating the policy? Sit down with a tech professional, your HR representative, and your attorney to formulate the specific policy standards. Finally, require all employees to read the policy and provide annual or even more frequent trainings on the topic.
Tip No. 2: Retention Schedules
Next, start planning for changes to your records retention schedules now before your organization is replete with new devices producing an overwhelming amount of data records. As government entities, we’re tempted to err on the side of caution, so we keep records forever or at least longer than necessary. (5) However, in an IOT world it will likely be impossible to keep this up. (6) Start trying to determine which existing categories different types of data may fall into, and see if your retention schedules are too long. Perhaps you will need to create new categories, which can take some time and thought. However, it’s best to be proactive now rather than to be blindsided later and expose your organization to unnecessary risk. Additionally, as the IOT progresses, you better believe that changes in state and federal policies regarding records retention will follow. So remember to stay on top of the political discussion and adjust administrative policies accordingly if necessary.
Tip No. 3: Communications Policy
Finally, take another look at your organization’s communications policy, which should cover employee and public use of your Wi-fi connections, social media accounts, and websites. When literally everyone and everything is connected in the IOT world, a new type of decorum will have to be established through your communications policy. You’ll need to consider your own online disclaimers and clickwrap agreements for those non-employees desiring to use your Wi-Fi and other connected devices. These policies will help you determine what behaviors are appropriate and when and how troublemakers should be removed from your network or accounts. Additionally, the IOT will present new opportunities for distractions at work. When everyone is controlling their personal lives via smart phones and other personal devices, you may observe a decline in productivity without some clear boundaries in place. A solid communications policy along with consistent employee training should help your organization prepare and adjust in an IOT workplace.
So, if you’re like me, and the IOT is a bit intimidating, I hope you take some solace in the fact that the policies guiding it will likely be as pervasive as the IOT itself. Perhaps then . . . when we have the billion points of policy figured out . . . I might come out from under my desk. Unless there are robots . . . wait, are there robots?
- 1 U.S. Federal Trade Commission, Internet of Things Privacy & Security in a Connected World, published January 2015, available at https://www.ftc.gov/system/files/documents/reports/federal-trade-commission-staff-report-november-2013-workshop-entitled-internet-things-privacy/150127iotrpt.pdf.
- 2 Tom Risen, The Privacy, Security Risks of the Internet of Things, www.usnews.com, published January 22, 2016,http://www.usnews.com/news/articles/2016-01-22/the-privacy-security-risks-of-the-internet-of-things.
- 3 Id.
- 4 Id.
- 5 Sue Trombley, Is Your Information Governance Plan Ready for the Internet of Things? www.hrmagazine.co.uk, published May 29, 2015, http://www.hrmagazine.co.uk/article-details/is-your-information-governance-plan-ready-for-the-internet-of-things.
- 6 Id.
Maggie Pasqualone is the assistant law director in the City of Kettering, Ohio.