On March 9, 2021, Bloomberg reported hackers had accessed videos and data from thousands of security cameras in an event now known as the Verkada breach. Our first post about the incident covered the importance of end-to-end Internet of Things (IoT) security; this post takes a deeper look at IoT data privacy risk and suggests how purchasing organizations can mitigate it. It’s worth considering lessons learned from this breach and revising procurement, vendor management and operational practices to mitigate data privacy risks specific to IoT devices.
The complexity of IoT introduces new risk. Typically, IoT solutions consist of multiple onsite devices to capture data in a variety of forms. That data is transmitted elsewhere for storage, often in the cloud. In transit and at rest, the data is vulnerable to exposure. An IoT vendor like Verkada doesn’t have full control over the data, either; data created at the purchasing organization’s location is transmitted over the internet and stored with Verkada’s cloud provider. Purchasing organizations have little influence over IoT vendors’ choice of partners, evolution of capabilities or transition of the supporting ecosystem.
Businesses often choose solutions based largely on overall cost, simplicity of installation and ease of use. In addition to these, IoT purchasing organizations should also consider what data is being collected and how it will be used. They should engage security and privacy experts to identify new risks and obligations, such as needing consent from videotaped subjects.
Personally Identifiable Information (PII) seemed a static concept once, but it’s changing as innovative technologies generate data with meaningful metadata. IoT devices will often produce device identification, location, date and time information along with a video, image or other digital asset. When IoT technology creates PII, purchasing organizations and IoT vendors share a responsibility to ensure data is transmitted and stored securely, encrypted and anonymized so it can’t identify an individual.
IoT security begins with understanding requirements. Assemble teams for IoT procurement or operation that include not only business, application and cybersecurity expertise but also legal, privacy, compliance and architecture support.
Invest time and effort in diligent IoT vendor selection. Some data privacy questions to consider:
- What data do you possess that a hacker organization would want?
- What are the security and privacy features of the devices? Is sensitive data stored on devices?
- What policies and procedures exist for physical breaches?
- How secure is the network? How is data protected in transit? Is it encrypted?
- How is the data secured on the backend? Who is the IoT vendor’s cloud services provider, and what are their data security practices?
- How is the data stored and managed by the vendor?
- Do potential solutions segregate customer data repositories?
- Who can access components of the solution, including control of devices? Who is permitted to access data? What are the roles and permissions of each account, and how are permissions organized into roles for the IoT vendor, who authorizes access for third parties?
- What security/privacy training is required for IoT vendor employees? What security/privacy training is provided to the purchasing organization’s employees?
- Has the IoT vendor established appropriate data governance to ensure an ethical and disciplined approach to security and privacy? Their governance program should include strong protocols and structure around protecting the data itself. Governance should ensure controlled, secure data access across all touchpoints of the IoT ecosystem: the device itself, network, transmission protocols, data storage and analytics.
Purchasing organizations should negotiate agreements that provide recourse in the event of a breach. Contracts should:
- Specify security features and access control policies in line with emerging guidelines and the upcoming implications of the recent Executive Order on Cybersecurity.
- Stipulate breach notification timeframes and penalties if the IoT vendor fails to ensure security and privacy.
- Require notification if the IoT vendors’ third-party providers change.
- Establish ownership of data and indicate that the purchasing organization does not consent to unauthorized sale or use of its data.
- Require regular access and audit log reports.
- Require that the IoT vendor put minimum baseline technical safeguards in place for data protection.
IoT solution contracts may call for periodic renewal and review, providing an opportunity to renegotiate provisions. Purchasing organizations can learn from breaches in the news and privacy regulation changes to make the most of renegotiation opportunities.
Purchasing organizations will have little control over emerging product features and IoT vendors’ changing partnerships after purchase. Monitor the IoT solution for post-implementation modifications to architecture, features and partnerships and re-test after any change. Throughout the IoT vendor relationship, purchasing organizations should make roles and responsibilities explicit. For instance:
- Purchasing organizations should:
- Specify detailed security requirements.
- Determine what consent they need from stakeholders for retaining, sharing and using IoT data.
- Monitor how data is being stored, accessed and controlled by the IoT vendor.
- Establish data breach response capabilities for the solution. Breaches could include stolen data or exposed trade secrets.
- IoT vendors should:
- Implement the solution per the purchasing organization’s security and privacy requirements.
- Provide updates as solution features or third-party relationships change and participate in new testing.
There is no turning away from the opportunities IoT solutions represent. The risks are substantial, however. IoT vendors and purchasing organizations alike have roles in ensuring IoT data privacy. Anticipating the worst of the risks will be critical to ensuring data privacy for all stakeholders.