CybersecurityEmerging TechnologiesPrivacyVulnerability/Incidents

Managing IoT for Data Privacy

Christine LivingstonManisha Agarwal-Shah
June 7, 2021
5 min read

On March 9, 2021, Bloomberg reported hackers had accessed videos and data from thousands of security cameras in an event now known as the Verkada breach. Our first post about the incident covered the importance of end-to-end Internet of Things (IoT) security; this post takes a deeper look at IoT data privacy risk and suggests how purchasing organizations can mitigate it. It’s worth considering lessons learned from this breach and revising procurement, vendor management and operational practices to mitigate data privacy risks specific to IoT devices.

The complexity of IoT introduces new risk. Typically, IoT solutions consist of multiple onsite devices to capture data in a variety of forms. That data is transmitted elsewhere for storage, often in the cloud. In transit and at rest, the data is vulnerable to exposure. An IoT vendor like Verkada doesn’t have full control over the data, either; data created at the purchasing organization’s location is transmitted over the internet and stored with Verkada’s cloud provider. Purchasing organizations have little influence over IoT vendors’ choice of partners, evolution of capabilities or transition of the supporting ecosystem.

Businesses often choose solutions based largely on overall cost, simplicity of installation and ease of use. In addition to these, IoT purchasing organizations should also consider what data is being collected and how it will be used. They should engage security and privacy experts to identify new risks and obligations, such as needing consent from videotaped subjects.

Personally Identifiable Information (PII) seemed a static concept once, but it’s changing as innovative technologies generate data with meaningful metadata. IoT devices will often produce device identification, location, date and time information along with a video, image or other digital asset. When IoT technology creates PII, purchasing organizations and IoT vendors share a responsibility to ensure data is transmitted and stored securely, encrypted and anonymized so it can’t identify an individual.

IoT security begins with understanding requirements. Assemble teams for IoT procurement or operation that include not only business, application and cybersecurity expertise but also legal, privacy, compliance and architecture support.

Invest time and effort in diligent IoT vendor selection. Some data privacy questions to consider:

  1. What data do you possess that a hacker organization would want?
  2. What are the security and privacy features of the devices? Is sensitive data stored on devices?
  3. What policies and procedures exist for physical breaches?
  4. How secure is the network? How is data protected in transit? Is it encrypted?
  5. How is the data secured on the backend? Who is the IoT vendor’s cloud services provider, and what are their data security practices?
  6. How is the data stored and managed by the vendor?
  7. Do potential solutions segregate customer data repositories?
  8. Who can access components of the solution, including control of devices? Who is permitted to access data? What are the roles and permissions of each account, and how are permissions organized into roles for the IoT vendor, who authorizes access for third parties?
  9. What security/privacy training is required for IoT vendor employees? What security/privacy training is provided to the purchasing organization’s employees?
  10. Has the IoT vendor established appropriate data governance to ensure an ethical and disciplined approach to security and privacy? Their governance program should include strong protocols and structure around protecting the data itself. Governance should ensure controlled, secure data access across all touchpoints of the IoT ecosystem: the device itself, network, transmission protocols, data storage and analytics.

Purchasing organizations should negotiate agreements that provide recourse in the event of a breach. Contracts should:

  • Specify security features and access control policies in line with emerging guidelines and the upcoming implications of the recent Executive Order on Cybersecurity.
  • Stipulate breach notification timeframes and penalties if the IoT vendor fails to ensure security and privacy.
  • Require notification if the IoT vendors’ third-party providers change.
  • Establish ownership of data and indicate that the purchasing organization does not consent to unauthorized sale or use of its data.
  • Require regular access and audit log reports.
  • Require that the IoT vendor put minimum baseline technical safeguards in place for data protection.

IoT solution contracts may call for periodic renewal and review, providing an opportunity to renegotiate provisions. Purchasing organizations can learn from breaches in the news and privacy regulation changes to make the most of renegotiation opportunities.

Purchasing organizations will have little control over emerging product features and IoT vendors’ changing partnerships after purchase. Monitor the IoT solution for post-implementation modifications to architecture, features and partnerships and re-test after any change. Throughout the IoT vendor relationship, purchasing organizations should make roles and responsibilities explicit. For instance:

  • Purchasing organizations should:
    • Specify detailed security requirements.
    • Determine what consent they need from stakeholders for retaining, sharing and using IoT data.
    • Monitor how data is being stored, accessed and controlled by the IoT vendor.
    • Establish data breach response capabilities for the solution. Breaches could include stolen data or exposed trade secrets.
  • IoT vendors should:
    • Implement the solution per the purchasing organization’s security and privacy requirements.
    • Provide updates as solution features or third-party relationships change and participate in new testing.

There is no turning away from the opportunities IoT solutions represent. The risks are substantial, however. IoT vendors and purchasing organizations alike have roles in ensuring IoT data privacy. Anticipating the worst of the risks will be critical to ensuring data privacy for all stakeholders.

To learn more about our emerging technologies and cybersecurity capabilities, contact us.

Christine Livingston

Managing Director
Emerging Technology Solutions

View all posts

Manisha Agarwal-Shah

Managing Director
Security and Privacy

View all posts

You may also like

Emerging TechnologiesTechnology Resilience

Client Story: Hospitality Company Builds Foundation for Pursuing Responsible AI, Mitigating Risk with Comprehensive Standards and Enhanced Controls

As is the case with many organizations today, this multinational hospitality company was contemplating how best to introduce and manage model-based/generative artificial intelligence (AI) across its worldwide network. The balance between risk and...

Scott LaliberteJoel WuesthoffRichard Kessler
April 16, 2024
20 views

Subscribe to Topics

Protiviti Technology Follow

Protiviti leverages emerging technologies to innovate, while helping organizations transform and succeed by focusing on business value.

ProtivitiTech
protivititech Protiviti Technology @protivititech ·
8 Apr

Join our experts on April 25 as they delve deep into the strategies and practices essential for safeguarding customer trust, ensuring a stellar user experience, and adhering to privacy and data security standards. Register today! https://ow.ly/fumH50R4fbw #DataPrivacy

Reply on Twitter 1777336025301254502 Retweet on Twitter 1777336025301254502 Like on Twitter 1777336025301254502 Twitter 1777336025301254502
protivititech Protiviti Technology @protivititech ·
5 Apr

Find out how businesses can use #AI technologies for real use cases in #Quantum sensing, simulations and migration to post-quantum cryptography during the latest podcast episode with guest @paul_kassebaum. https://ow.ly/Wy7u50R9t8M

Reply on Twitter 1776309432592330940 Retweet on Twitter 1776309432592330940 1 Like on Twitter 1776309432592330940 4 Twitter 1776309432592330940
protivititech Protiviti Technology @protivititech ·
5 Apr

Protiviti’s Kim Bozzella explains how technology and #Automation in the #Manufacturing industry has—and will continue to—improve productivity and quality enhancement. Read more from the Forbes Technology Council. https://ow.ly/nTPy50R7WYC

Reply on Twitter 1776249003769803111 Retweet on Twitter 1776249003769803111 Like on Twitter 1776249003769803111 Twitter 1776249003769803111
protivititech Protiviti Technology @protivititech ·
1 Apr

Organizations who are part of the Department of Defense supply chain must understand, identify and protect controlled unclassified information, often called #CUI in their environments. Here’s what you need to know: https://ow.ly/bjbW50R59Ke #ProtivitiTech

Reply on Twitter 1774769203540566390 Retweet on Twitter 1774769203540566390 Like on Twitter 1774769203540566390 Twitter 1774769203540566390
protivititech Protiviti Technology @protivititech ·
29 Mar

A global hospitality company is well positioned to leverage the latest AI technologies after hiring Protiviti to establish and implement a comprehensive AI governance standard. Read our latest client story: https://ow.ly/Ir7R50R4nrh #ProtivitiTech #ClientStory

Reply on Twitter 1773772540306919718 Retweet on Twitter 1773772540306919718 Like on Twitter 1773772540306919718 1 Twitter 1773772540306919718
Load More