The IoT is a unique beast and the ease with which vast quantities of information can be instantaneously collected and exchanged within the network is often at odds with an opaque and disparate entanglement of stakeholders. The legal protection for data subjects in this complicated connected world is not easy to pin down. Currently, claimants must rely on a combination of jurisdiction specific privacy and data protection law and existing contractual obligations.
The General Data Protection Regulation which comes into force in May 2018 bringing stricter notification requirements for data protection breaches, and penalties of up to 4% of annual turnover for offending organisations, is likely to intensify focus on cyber security in the IoT.
For those of you who have been living on a remote Pacific island for the past couple of years, it might help to explain the IoT as a vast network of internet-connected devices that gather and swap data with a view to improving efficiency and productivity. The oft-quoted example is that of the “smart” fridge detecting when the household runs out of broccoli and alerting the supermarket supplier. In reality, however, IoT devices range from low-level technologies like security cameras and printers to the complex computers and sensory equipment used to operate city infrastructure.
Connectivity is here to stay and it is predicted that by 2020, over 20 billion “things” will be connected through the IoT. The real power of the IoT lies not in being able to manage the supply of commodities, but rather in what happens to the vast quantity of personal data that is collected and exchanged via machines. A growing focus on the monetisation of data means that the privacy and security of personal data in the IoT is of increasing importance.
Security experts have demonstrated the relative ease with which many low-tech devices, like baby monitors and automated lighting, can be tampered with. But we have also seen high profile demonstration hacks of complex IoT machines like driverless cars.
This time last year, the IoT bot “Mirai” caused widespread disruption to the internet in the form of Denial of Service attacks. Like Mirai, Reaper has the potential to unleash major devastation in cyber space (although there is no indication at this stage what its creator’s intentions are). Reaper spreads by exploiting vulnerabilities in the firmware of IoT devices such as routers and cameras.
Although the botnet has so far been confined to a limited number of devices, a further two-million devices have been identified as potential targets. Pascal Geenens, EMEA Cyber Security Evangelist for Radware, said last week that the IoT threat we should be most worried about is, “the possibility for fragmented IoT botnets to get overrun by one strong and efficient botnet which … will create a super-botnet of unequalled and unseen size".
Another known threat in the IoT is the “Krack” vulnerability which allows exploiters to access WiFi networks without passwords or keys and to change the nature of interactions between connected devices within that network. This vulnerability affects any devices using WiFi technology and does not need to utilise the software running on the device. Krack has the potential to infiltrate an entire WiFi network and infect any, or all, of the connected devices with malware at the same time.
Implementing security patches for Krack is complicated by the fact that there are so many different parties involved in manufacturing, configuring, supplying and supporting the devices. In his article for the Society for Computers and Law Magazine, Chris James acknowledges this particular IoT hazard when he notes that IoT devices: “are often part of a complex supply chain with multiple stakeholders assuming different responsibilities”. Once IoT devices have been distributed, it can be difficult to retrofit fixes and updates.
Under current UK data protection law, organisations must guard against loss, destruction or damage to personal data by employing “appropriate technical and organisational measures”  which includes “the right physical and technical security, backed up by robust policies and procedures”. When the GDPR comes into force next year, there will be an additional requirement to report certain personal data breaches to the supervisory authority (ICO) without undue delay (as opposed to simply dealing with the breach effectively). Maintaining secure networks and detecting and preventing potential breaches will become increasingly important. The GDPR introduces specific obligations to:
- ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services
- regularly test, assess and evaluate the effectiveness of technical and organisational measures
- be able to describe the security measures deployed (whether acting as controller or processor) 
Where the data processing is likely to result in a high risk to the rights and freedoms of an individual, and in particular where new technologies are involved, the GDPR requires that a data protection impact assessment be carried out. The Article 29 Working Party Opinion on the Internet of Things specifically recommends that impact assessments be carried out before any new devices or applications are launched in the IoT. In addition, the Article 29 Working Party advises that principles such as “Privacy by Design” should be adopted from the outset of specification and manufacture of IoT devices. In reality, however, manufacturers are often more focused on keeping costs to a minimum than building robust security features.
Organisations will, therefore, need to be selective about the technology they deploy and how employees are permitted to engage with it. The upsurge in “bring your own device” (BYOD) options, for example, compounds the risks for organisations that do not have a clear policy on secure connections and data handling. As well as allowing employees to access the corporate network, BYODs are increasingly likely to simultaneously be linked to IoT devices like home energy and lighting systems and intelligent personal assistants.
Ben Boswell, UK & Ireland director at World Wide Technology says: “We know that having proper information management and data governance procedures in place can dramatically reduce the cost of cyber breaches even if they do happen. But with the increased transparency of the GDPR, avoiding a breach altogether will become even more valuable than simply minimising their impact once they happen”. In an increasingly connected world, privacy and security of data must become an essential tenant of solution procurement but organisations will also need to take a holistic approach to securing and monitoring corporate networks and training staff in data protection risks. After all, the Reaper bot, or a similar threat, is just one carelessly connected device away.
 Principle 7, Data Protection Act 1998.
 Art 33(1) GDPR
 Art 32(1)(a) General Data Protection Regulation (GDPR)
 Art 32(1)(d) GDPR
 Art 30(1)(g) GDPR
 Art 35(1) GDPR
 Paragraph 7.1, Article 29 Data Protection Working Party. Opinion 8/2014 on the on Recent Developments on the Internet of Things. Adopted 16 September 2014. http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf
 Paragraph 4.6. Ibid
These notes have been prepared for the purpose of articles only. They should not be regarded as a substitute for taking legal advice.