The Internet of Things and Cities: A Billion Points of Policy

Shutterstock

 

Connecting state and local government leaders

Before diving in head first into the world of IoT, local governments seriously consider some of the potential risks when it comes to critical matters like cybersecurity.

Editor's Note: This guest article by Maggie Pasqualone, the assistant law director for the City of Kettering, Ohio, originally appeared on Engaging Local Government Leaders and is republished here with permission of ELGL. The content contained in this blog post does not constitute the provision of legal advice. The comments and opinions expressed below are those of the individual author and may not reflect the opinions of the City of Kettering.

Maybe it’s because I’m a bit of a conspiracy theorist, or maybe it’s because I consider myself somewhat of a traditionalist, but the concept of the Internet of Things (the “IOT”) makes me want to hide under my desk. Maybe you’ve already pegged me as an old fogey, stuck in my ways, and just passing the time by yelling at neighborhood kids to stay off my lawn. Well that may be partly true, but I’m actually only thirty one, an older millennial by definition, and yes, the Internet of Things makes me want to buy a tent and live in the wilderness . . . where the robots can’t find me. It makes me want to push buttons manually, you know, the old fashioned way . . . without mind control. It makes me want to run around my house checking the potted plants for bugs, just to make sure “the man” isn’t watching.

If you’re not already aware, like I wasn’t about a week ago, when folks talk about the “Internet of Things” they mean a giant network of things or objects that are all connected to the Internet, talking to one another, collecting mountains of data, in an effort to make our lives easier or better. You might be thinking, “doesn’t that already exist?” Yes, but the IOT contemplates something so much bigger than social media and some cool apps on your phone. Think along the lines of the old cartoon, The Jetsons.  Your car will be driverless, and you’ll turn it on via Facebook app. Your Ford Autobot won’t hit anything because everything in its path will be outfitted with sensors and microchips to allow it to talk to all buildings, roads, bridges, etc. You will control every aspect of your home and office, i.e. your refrigerator, garage doors, security systems, baby monitors, heating and AC, toilet, and a host of other things with your phone, your computer, or your light saber. Your child’s school, the businesses you frequent, and all other aspects of your City will be connected, collecting data, talking to one another for various purposes, knowing what you need before you even realize you need it.

Now some of you are literally salivating at this brave new world I’ve been describing because you’re thinking of all the wonderful possibilities it brings, like making daily tasks even easier, public services even faster, and the entire world generally safer, more convenient, and efficient.  But as a municipal attorney, my first thoughts are not about the billion points of awesomeness that the IOT might bring.

My first thoughts focus on the billion points of policy that are probably already making a host of attorneys and risk managers want to hover board for the hills. Perhaps some of you may think of me as a “wet blanket,” “a kill joy,” “a stick in the mud,” or maybe something more creative, like the “grim reaper of all things fun, progressive, and exciting.” But before you shower me with compliments, let’s seriously consider some of the potential consequences of the IOT.  

According to a 2015 Federal Trade Commission staff report, “IOT devices may present a variety of potential security risks that could be exploited to harm consumers by: (1) enabling unauthorized access and misuse of personal information; (2) facilitating attacks on other systems; and (3) creating personal safety risks.” (1) As I read the FTC’s report, it seemed to describe privacy and security as two separate but linked things. The privacy concern is more related to the requirement for data sharing that is central to the IOT concept. The IOT is all about collecting and sharing data in order for each connected object to be able to perform. Inevitably, that means you will be clicking “agree” on those indecipherable clickwrap agreements and online terms of use pages much more frequently than you do now.

Many times, you’ll be agreeing to allow a company to use the data you produce from all your IOT devices in a myriad of ways, including sharing it with or selling it to whomever, whenever. You can see the issue with that; there will likely be many more opportunities for your financial and other very personal information to fall into the wrong hands. Keep in mind, these vulnerabilities will not just affect you personally, but all organizations that are plugged into the IOT.

The Security concern is about how vulnerable your devices are to hackers and others abusing the Internet as well as everything connected to it. According to James Lewis, a cybersecurity researcher at the Center for Strategic and International Studies, many Wi-Fi connected devices use simple processors, which make them more vulnerable to hacking than those devices with more sophisticated processors that include advanced security functions, like your PC. (2) According to Mr. Lewis, an example of one of these less secure Wi-Fi connected devices is one that is nearly ready to go on the market, the driverless car. (3) Can you imagine a world filled with driverless vehicles? Are you comfortable with your car being hacked by some stranger half way around the world who wants to mess around with your brakes? How about your child’s driverless school bus? My point in mentioning these unsettling examples is that the IOT privacy and security threats are real and have the potential to cause massive damage to all of us as individuals and as a society. Thus, the IOT must have boundaries, and the experts agree. According to Mr. Lewis, “both devices and the networks that connect them will need to be made more secure, and the government should set higher standards for more advanced gadgets that create valuable data, perform crucial functions, and produce mass effect.” (4)

So now that you’re sufficiently freaked out, join me under my desk for a small, very obvious nugget of advice. Ready for it? Embrace the policies! Be ready to draft and/or update your policies and review them annually or even more frequently to make sure they’re relevant to the changing tides.

To start, I would focus on three kinds of policies: (1) technology use policies; (2) records retention schedules; and (3) communications policies. Although perhaps titled differently, your organization likely already utilizes all three of these, and if so, a fresh look is in order.

Tip No. 1: Technology Use Policy

If you don’t already, you’ll need a very well drafted technology use policy that dictates how your employees are purchasing, using, and disposing of all connected items that your organization uses. This policy needs to define “technology” broadly so that it incorporates all things that could potentially fit into the IOT. A few key questions that might help formulate your policy are: (1) Who can and cannot use certain networks and devices? (2) What are the acceptable and prohibited uses of all the various networks and devices? (3) What are the user’s security and information protection responsibilities, including password requirements? (4) What are the procedures for purchasing and disposing of these devices, including procedures for reviewing online terms of service, disclaimers, and clickwrap agreements? (5) What should employees do, or whom should they report to, if they think there is a security or privacy breach? (6) What are the penalties for violating the policy?  Sit down with a tech professional, your HR representative, and your attorney to formulate the specific policy standards. Finally, require all employees to read the policy and provide annual or even more frequent trainings on the topic.

Tip No. 2: Retention Schedules

Next, start planning for changes to your records retention schedules now before your organization is replete with new devices producing an overwhelming amount of data records. As government entities, we’re tempted to err on the side of caution, so we keep records forever or at least longer than necessary. (5) However, in an IOT world it will likely be impossible to keep this up. (6) Start trying to determine which existing categories different types of data may fall into, and see if your retention schedules are too long. Perhaps you will need to create new categories, which can take some time and thought. However, it’s best to be proactive now rather than to be blindsided later and expose your organization to unnecessary risk. Additionally, as the IOT progresses, you better believe that changes in state and federal policies regarding records retention will follow. So remember to stay on top of the political discussion and adjust administrative policies accordingly if necessary.

Tip No. 3: Communications Policy

Finally, take another look at your organization’s communications policy, which should cover employee and public use of your Wi-fi connections, social media accounts, and websites. When literally everyone and everything is connected in the IOT world, a new type of decorum will have to be established through your communications policy. You’ll need to consider your own online disclaimers and clickwrap agreements for those non-employees desiring to use your Wi-Fi and other connected devices. These policies will help you determine what behaviors are appropriate and when and how troublemakers should be removed from your network or accounts. Additionally, the IOT will present new opportunities for distractions at work. When everyone is controlling their personal lives via smart phones and other personal devices, you may observe a decline in productivity without some clear boundaries in place. A solid communications policy along with consistent employee training should help your organization prepare and adjust in an IOT workplace.

So, if you’re like me, and the IOT is a bit intimidating, I hope you take some solace in the fact that the policies guiding it will likely be as pervasive as the IOT itself. Perhaps then . . . when we have the billion points of policy figured out . . . I might come out from under my desk. Unless there are robots . . . wait, are there robots?

Additional Resources:

Footnotes:

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.