Do You Really Need to Store That IoT Data?

Not only are companies collecting a massive amount of data generated by the Internet of Things (IoT), they are storing it too. According to a survey of 1,000 enterprises conducted by 451 Research, 71 percent of enterprises are gathering IoT data and nearly half of the data generated are being stored. What the survey doesn't reveal is if companies are considering the legal implications of storing IoT data and preparing to deal with demands for that data from outside entities. Some contend that the IoT is on the brink of changing life as we know it. According to Gartner, 20.8 billion objects will be connected to the internet by 2020. On their own, droves of these data-generating things will churn out an inconceivable amount of intriguing data about our patterns of behaviors. And, when they begin talking to each other, the IoT will be as prevalent as oxygen.

With the IoT's capability to fade into the background of our lives and quietly play witness to our worlds, the data it generates will pique the interest of a parade of public and private third parties that we can only begin to imagine, but that's exactly what general counsel need to do. Sit down with business executives who are spearheading IoT projects and talk about the near-future risks associated with storing IoT data, prepare to respond with requests for IoT data and think about the impact to consumers.

When product development and marketing executives are working on an IoT initiative, top of mind are returns on investment, storage options and product development lifecycles. The last thing they are thinking about are criminal investigations, subpoenas and expectations of privacy rights. But, in-house counsel need to engage business executives about the nature of the data—whether it needs to be stored and for how long—before the data is collected, not after when it's much more difficult to walk back.

Without legal counsel, business executives are more likely to store IoT they might not necessarily need, laboring under the notion that they may decide to use it down the road. Business executives need to understand not just the costs but the risks associated with storing IoT data as well as consider risk mitigation options such as building in automatic data deletion when data is no longer needed.

With its ability to tell stories about who we are, what we are doing and why, IoT data will reveal information that public and private parties are willing to fight for in court and pay big money to gain access to. Most of us have heard about police requesting access to Amazon's personal digital assistant to help solve a murder case. In a different case, police are attempting to use Fitbit data to prove a husband was involved in his wife's death.

When data requests arise, will you institute a do-no-evil policy such as Alphabet Inc.'s Google, which vows to only turn over data if a proper search warrant is issued? Will you fight any court requests tooth and nail and make a public show of it to strengthen your privacy-protecting brand? Or, will you cooperate with any police requests? Or will you cooperate only with a court order? And how will you disclose all of this to consumers?

Similar to a breach response plan, in-house counsel should be prepared to react to any third-party request for data—be it law enforcement, government regulator or third-party litigant—in accordance with a corporate position and plan. And the plan should take into account the potential legal and public relations issues, given that these types of unanticipated issues can provoke an emotional response from the public.

The IoT is booming, devices are proliferating and IoT-generated data is already beginning to attract the attention of police. And, it's only a matter of time before more parties come knocking on your digital door with data requests. In-house counsel need to be involved with IoT initiatives from the start, regardless of the form they take. Early intervention will minimize the risk of unnecessary collection and storage of IoT data, as well as give GCs the opportunity to promulgate policies for how the company will deal with IoT data demands.


Reprinted with permission from the August 7, 2017, edition of Corporate Counsel. ©2017 ALM Media Properties, LLC.

All rights reserved. Further duplication without permission is prohibited.