What does the internet of things mean for data breaches?

Regulators say new troves of hackable data created by connected devices make the need for a national data breach standard that much more urgent.

Shutterstock image (by Sergey Nivens): Security concept, lock on a digital screen.
 

The explosive growth of internet-connected devices creates new pathways for attack for hackers, and expands the possibilities of the kinds of data that can be compromised. The question before policymakers is whether new laws are needed to protect consumers and to govern disclosure of data breaches.

At a May 10 American Bar Association event, Federal Trade Commission Associate Director for Privacy and Identity Protection Maneesha Mithal said that, on the consumer side, the "ubiquitous data collection" creates new risks for consumers, and the voluminous data creates "treasure troves for hackers."

Naomi Lefkowitz, a senior privacy policy advisor at the National Institute of Standards and Technology, said, "there will be no perfect privacy," adding that communication and disclosure -- based on standards -- can help address privacy and security concerns.

Mithal said the new risks posed by IOT -- such as companies' not fully informing consumers about their data collection practices and not adequately securing consumer information -- require legislative solutions.

"I do believe we need additional legislation to perform federal data security and data breach notification legislation that would apply across-the-board to all companies, including IOT," she said.

Currently, there is no single data breach notification standard that applies nationwide. U.S. states create their own laws that cover their residents and businesses. Under the Obama administration, several efforts were initiated by the White House and in Congress to push a federal standard, but no new law resulted.

Ruth Hill Bro, former chair of the ABA section of science and technology law, added that industry would likely support such legislation.

"A lot of companies would welcome having one federal benchmark," for security and data breach notification rather than having to analyze 50 different ones for each state.