Recently, Amazon refused (registration required) to provide data from an Amazon Echo device in a case involving the a double homicide in response to an order issued by a New Hampshire state judge. Prosecutors believe that the Echo may have recorded data relevant to the crime; a potential perpetrator has already been charged. Per a statement released November 20th, Amazon has stated that it “it “will not release customer information without a valid and binding legal demand properly served on us.” New Hampshire does not provide electronic access to court records, so it is not known as of this post whether Amazon has been served with the court order and complied. The order was signed by Justice Steven Houran on November 5.
As we have discussed, CA recently passed legislation requiring manufacturers of connected devices, often referred to as Internet of Things (“IoT”) devices, to equip these devices with reasonable security feature(s) that are “appropriate to the nature and function of the device, appropriate to the information it may collect, contain, or transmit, [and] designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.” California’s legislature has apparently recognized that providing security for these devices needs to be a priority to protect consumers.
Companies such as Amazon depend on consumers being willing to purchase and allow IoT devices such as Amazon’s Echo into their homes and their lives. Consumers, in the aggregate, will likely only be willing to allow these devices into their homes if they trust that the company behind the device will provide protection their data that they feel comfortable with.
Companies that wish to build and maintain this trust with consumers will need to ensure that they go beyond the barebones legal requirements and convince consumers through their corporate actions that they take privacy and data protection seriously. This will involve implementing a comprehensive privacy and data security program that includes at least the three parts below.
- Provide Appropriate Security for the IoT Device
As outlined above, appropriate security for the IoT Device will be a legal requirement under California law. Even so, device companies that are serious about large-scale adoption need to think beyond just the risk of legal enforcement. How likely are consumers to introduce an IoT device that has access to their sensitive data, and could, for example, record audio or video of their daily activities, if they feel company is not serious about providing security measures to prevent unauthorized access?
- Protecting Data Collected by the IoT Device Against Improper Use Or Request By Third Parties
If you have any questions as to how your entity could build and implement an effective privacy and data security program, please do not hesitate to contact the team at Mintz.