As the Internet of Things (IoT) becomes a larger part of everyday life for both businesses and consumers, discussion has shifted to how IoT systems protect customer data. Firewalls, compliance engines, device authentication, and virtual private networks (VPNs) are integral components to cloud-based management platforms, and connected devices must be developed using a secure by design philosophy to protect against the theft or alteration of data through hacking, eavesdropping, and information leakage.
However, recent high-profile data breaches have raised public concerns about the kind of data that is available for collection and how it is used by web-based services. According to a Gemalto survey, only 27% of consumers feel that businesses take customer data security seriously, and 70% of consumers say they would stop doing business with a company if it experienced a data breach. As a result of these public perceptions, governments and other regulatory organizations have taken notice of companies that depend on data collection and mandate specific practices to hold them accountable for data security.
How Data-Centric Companies are Reacting to Regulations
In May 2018, the General Data Protection Regulation (GDPR) went into effect across the European Union. The GDPR aims to empower internet users to better understand and exercise their digital rights. Among other mandates, it requires companies to give customers full access to their personal data, illustrate the ways that personal data is collected and used, offer clear opt-out options, and publicly report data breaches within 72 hours of discovery. Furthermore, companies must ensure the right to be forgotten, a mandate that allows users to demand the removal of certain personal information that may be considered damaging, stigmatizing, or a hindrance to the autonomous development of their life.
While the GDPR only is enforceable within the EU, where a company can be fined as much as 4% of their global revenue for violating the regulation, the borderless nature of the World Wide Web has driven many internet-based companies to update their terms and conditions to comply with these new regulations and roll out tools for users to access their personal data profiles. On Twitter and Facebook, for example, users now can discover how they are categorized based on their interests and get a full report of which third-party companies have targeted them for advertising based on this data. The GDPR definition of personal data includes IP addresses, locations, browsing history, contacts, racial and cultural demographics, political opinions, and other information that could affiliate the user with a specific market.
What IoT Providers Can Do to Maintain User Trust and Use Data Ethically
Depending on the application, an IoT/M2M solution collects specific data regarding device usage, efficiency, service conditions, and device health and transmits the data to a cloud-based platform for analysis. Companies then utilize the IoT device data to increase operational effectiveness and provide agile, customized service to device users. On the consumer side, IoT data usually is implemented to create a smoother or more integrated user experience, such as smart home systems that learn a homeowners preferences for HVAC settings, light activation, and other conveniences. For business IoT, however, personal data can include highly sensitive information, such as customer expense accounts, proprietary business procedures, patented assets, and holistic real-time device insights.
Ideally, an IoT solution would be completely secure from data compromise at the hands of hackers, data miners, and other bad actors. Unfortunately, the potential for data breaches is ever-present since each connected device represents a doorway into the cloud where personal data is transmitted, analyzed, and stored. According to the Identity Theft Resources Center (ITRC), there were a record setting 1,293 internet data breaches in 2017, a majority of which came from the business sector.
In the face of data breaches and public mistrust of data collection, transparency is the key to using personal data ethically and responsibly without violating customer privacy. Effective IoT device security must allow for processes that address vulnerabilities quickly and completely. For example, strong device authentication practices that are leveraged and incorporated in the design phase can provide cryptographic proof of when and how a device has been tampered with. Public Key Infrastructure (PKI) and digital certificates can prioritize security without diminishing the user experience. New tools, such as customer-accessible data profiles and notification practices, developed in response to the GDPR provide a clear pathway for users to understand how personal data is acted upon to improve both the data collection system and interactions with it.
Transparency practices give consumers confidence in IoT systems. If a user has the ability to see the content of their collected data, gain insight into how it is used, is notified quickly of any breaches, and is instructed on how to protect themselves from compromise, it demonstrates mutual trust and responsibility on the part of an IoT provider.
Keep Your IoT Data Secure with Aeris IoT Services
Aeris believes that IoT needs security at the design stage, not as an afterthought, which is why we have developed the tools and expertise to mitigate risks with the responsible development of IoT applications. Our cloud-based mobility platform makes it easier than ever for companies to securely manage and optimize IoT/M2M deployments. In addition, Aeris is committed to personal data collection practices that are ethical, lawful, and relevant only to the purpose of the specific IoT mission.