The internet of things (IoT) connects a broad range of devices using an IP address. It can range from smart TVs and phones to home security systems and thermostats… And the list goes on.

A popular prediction is that by 2020, the internet of things will comprise no less than 50 billion devices.

This type of wide adoption raises concerns about personal data and privacy. How is it collected, how is it used, and how may it make your organization vulnerable to risk?

Understand Privacy Risks Resulting from the Internet of Things

As the internet of things tech advances and companies have greater monetary incentives to process the data, privacy and transparency need to be considered.

The more connected devices there are, the greater the risk of being compromised.

The FTC report “Internet of Things: Privacy & Security in a Connected World” indicates that fewer than 10,000 households generate 150 million discrete data points daily.

Connected Cars & The Automobile Industry’s Push for Self-Regulation

Connected cars have IP addresses and can connect to devices, other cars, or internal and external networks.

Unless anonymized, all data from a car is potentially personal, frequently behavioral, sometimes social, and now with payment systems, sensitive, financial, and reputational.

For example, a connected car could access a credit card number, where the data subject drove before and after a purchase, where they live and work, and all of a phone’s contacts.

It may also deduce how they typically drive, and whether the data subject is driving in a particularly erratic manner at a given moment.

Other examples include: navigation apps, music streaming, or wifi hotspots. Some apps can even use connected cars’ cameras to find open parking spots for drivers.

As infotainment centers and features in cars become more advanced, they collect more personal information.

connected carsIn late 2014, the Alliance of Automobile Manufacturers developed and released a set of Consumer Protection Privacy Principles to be incorporated into the privacy policies and statements of car manufacturers.

In the following year, lawmakers and industry experts began to take an interest in how automotive companies would protect driver privacy as more connected cars are introduced to the market.

Now, regulators are increasingly weighing in. When it comes to connected automobiles alone, privacy laws and enforcements are growing.

In a keynote presentation at the 2016 Connected Cars conference, FTC Commissioner Terry Sweeney stated that the Commission was watching to ensure that automobiles protect the security and privacy of consumers.

The European Commission has also been paying attention to the advancements of data collection from connect vehicles and has suggested ways to ensure that personal data provided is kept safe.

France’s data protection authority CNIL released a compliance package which provides guidelines for how to treat the personal data gathered by connected cars.

This guideline is intended to be consistent with requirements under the EU General Data Protection Regulation (GDPR) when that law goes into effect next year.

IoT and Unauthorized Disclosure of Data: Incident or Breach?

Like any other privacy incident in which private, protected data is revealed without authorization, an incident involving an IoT device should be analyzed under all applicable breach notification laws and contractual obligations.

When conducting a multi-factor risk assessment to determine if an incident meets a breach threshold, keep the following in mind:

Know the Difference Between a Data Incident or Data Breach

Understand the difference between an incident and a breach, it’s key to determining if your incident requires notification.

Making this determination means answering questions such as:

    • How was the data stored?
    • How was it transmitted?
    • Were there adequate technical safeguards in place with respect to storage and transmission?
    • How much risk should be attributed to the recipient?
    • Were they authorized?
    • How likely are they to misuse the data?
    • Are there any administrative or contractual protections on that relationship?
    • After the incident, were there any mitigation measures taken, such as remotely wiping storage media, the changing of credentials, or other measures that could limit or remove further risk exposure?

Use a Consistent Risk Assessment Process

Proving consistency in your risk assessment process can help you pass audit – or even avoid coming under scrutiny of audit.

Automation tools in incident response provide a consistent process for documenting and profiling the incident, scoring that incident against applicable laws, and generating incident specific guidance and decision-support.

Track Trends and Improve

Track trends in incident categories and root causes. Learn from these incidents. Accurately identifying weaknesses in your systems, departments or processes can reduce the number of incidents and your organizational risk.

Automation is key to ensuring proper analysis and risk mitigation.

The Future of Connected Cars

The predictions for connected cars, and more importantly, their data, are overwhelmingly optimistic. A BI Intelligence report on connected cars predicts that over 380 million connected cars will be on the road by 2021.

With all of the connected cars comes a lot of connected car data. Fortune magazine predicts that by 2020, autonomous vehicles will generate about 4,000 gigabytes of data a day.

According to Intel, that much data would normally be generated by about 3,000 people through use of their PCs, mobile phones and other wearable technology. That data will be monetized.

At the LA Auto Show, Intel CEO Brian Krzanich announced that “data is the new oil.”

As new connected car technology advances and companies have greater monetary incentives to process the data, privacy and transparency should be considered.

With car manufacturers operating on a global scale it’s likely that international privacy regulations, such as the EU GDPR may apply.