Like your coffee hot when you get to the office? Want the workplace temperature to self-adjust to the weather? If the answer is “you bet,” be aware that corporate legal risks can go hand in hand with the conveniences of internet-connected devices.
Commonly known as the Internet of Things, these devices are connected to each other via the internet and exchange data. They include Amazon.com Inc.'s Echo smart speaker and Microsoft Corp.'s Cortana virtual assistant, which can assist employees at their desks using voice-activated intelligent digital capabilities.
Companies that use digital assistant and connected devices could be liable to users “if the data are accessed by a hacker and that’s construed as a result of a failure by the company to meet an obligation, whether that’s expressed or implied, to protect the data,” Behnam Dayanim, co-chair of Paul Hastings LLP’s privacy and security group, told Bloomberg Law.
The potential legal liability would depend on the type of device, the nature of the agreement between the user and the company, and the sort of information accessed, he said.
Big Bug on Your Desk
“Data theft will continue to increase as more people store data electronically,” which will likely result in more legal actions, Dayanim said.
Companies can mitigate legal risks by following voluntary industry guidance, as well as maintaining security testing programs and agreements with third party vendors that have reasonable security, attorneys said.
“There is the potential for hackers to access these devices to listen in and potentially record,” Nilesh Patel, a technology attorney with Frost Brown Todd LLC, told Bloomberg Law. “This type of hacking could effectively turn the device into a big ‘bug’ sitting right on your desk or counter.”
The legal implications for employers allowing the use of personal assistance devices, or internet-enabled, voice-activated products that help with simple tasks like setting alarms, answering online search questions, and making phone calls, are “potentially tremendous,” Patel said. Legal implications for security flaws in these and other connected devices could center on whether or not users are aware that the devices are recording, and if they are told who has access to the recordings, he said.
There also is potential liability for companies related to the misuse of information from devices that capture recorded data, Nicholas Merker, partner and co-chair of Ice Miller LLP’s data security and privacy group, told Bloomberg Law.
A company executive who accidentally triggers a device to “wake up” while speaking on the phone with an investor might not know that the conversation will be recorded and stored in the executive’s device account, Merker said, raising the possibility of an inadvertent disclosure of data if the device provider misuses the information.
Risk Mitigation Strategies
Vulnerabilities in IoT and personal assistance devices pose privacy, cybersecurity, and safety risks similar to other products that can be hacked or otherwise compromised, Cheryl Falvey, a partner at Crowell & Moring LLP, who provides product safety and security counseling on IoT and privacy, told Bloomberg Law.
Companies can minimize risk and legal implications by complying with voluntary standards, such as those set by the International Organization for Standardization and the National Institute of Standards and Technology, to make sure there are checks in place to ensure the capability and reliability of sensors, Falvey said. Checks should also confirm that device algorithms that use artificial intelligence to make business decisions have a high probability that the decision will be correct, she said.
Companies can also mitigate the risk of liability by following standards when making agreements with third party vendors, Merker said. Before acquiring internet-connected devices, companies should follow processes to ensure that the products have appropriate security controls, he said.
Additionally, companies should ensure that employees only use IoT devices in the workplace that have been purchased by the company through a third party agreement with a vendor that has implemented reasonable security protections, he said.
Another effective liability precaution that is not limited to IoT is limiting the data a company retains, because “the less they have, the less that can be exposed,” Dayanim said.
Research released April 25 by Israel-based security company Checkmarx revealed a problem with Amazon’s smart speaker device, known as Echo. The vulnerability, which has been fixed, allowed Checkmarx’s research team to use Echo’s personal virtual assistant service, Alexa, to turn it into an eavesdropping tool, according to the report.
Checkmarx disclosed the scenario to Amazon and worked with the company to mitigate the risk, according to the report. Amazon in a statement to Checkmarx following the disclosure said: “Customer trust is important to us and we take security and privacy seriously. We have put mitigations in place for detecting this type of skill behavior reported by Checkmarx.”
Amit Ashbel, Checkmarx’s director of product marketing and cybersecurity, said that “the Alexa issue allows the attacker to gain full access to conversation transcriptions, which means that a hacker that would have leveraged this capability could potentially listen (read) in to private conversations.”
“IoT vendors are rushing to deliver their products to market and multiple researches in the field show that in many cases the application security is left behind,” Ashbel told Bloomberg Law.
To contact the reporter on this story: Sara Merken in Washington at firstname.lastname@example.org
To contact the editor responsible for this story: David Mark at email@example.com