Many organizations struggle to keep abreast of the changing privacy landscape, and consumers are growing more aware of the data devices such as smart speakers to smartphones to facial-recognition-enabled surveillance cameras collect.
For manufacturers, studying relevant IoT security frameworks and regulations is vital. They should also think of risk from a variety of viewpoints, suggested Jeff Wilbur, technical director at the Online Trust Alliance at the Smart Home Summit. For a consumer, a threat can be internal or external, he said. “If you’re a homeowner, you might wonder: ‘Are people spying on me? Can they open my door? Can they get my data?’ But there’s also an external threat where IoT devices can be weaponized such as with the Mirai botnet,” Wilbur said. “That’s where the government has the most concern.”
Not only are data breaches frequent, they have become more severe in recent years. “Historically, a breach of credit card numbers caused minor inconveniences for a small subset of users who had to wait to receive a new credit card,” said Ben Auton, vice president at SpearTip. But the number of breaches exposing highly sensitive data, including personal images, financial and medical histories, is increasing. “This intimate, personal impact is unprecedented, and will certainly increase public awareness and aversion to this level of data being maintained by private companies,” Auton added. “In the end, this will likely lead to continued policy development and regulation.”
In the event a company is breached, the response matters. “That’s a very strong signal,” she added. “Just saying you care about users’ security or privacy is not impactful.”
Consumer-facing industries must also wrestle with a lack of trust from the public. Internal McKinsey research found that fewer than half of consumers trusted organizations ranging from health care and financial service institutions (both with 44%) to consumer packaged good companies. Consumer trust in technology companies is also waning, according to the 2019 Edelman Trust Barometer report.
Such considerations are particularly important when consumers have choice in the marketplace. McKinsey has noted a growing trend of consumers who avoid doing business with a company with problematic or unclear privacy practices. Internal research from the advisory firm found 85% of consumers stated they would avoid doing business with a company if they lacked trust in its security practices. Seven out of 10 consumers McKinsey surveyed said they would stop doing business with a company if it shared sensitive data with other parties without their permission.
The Importance of Clarity
Consumer IoT device makers should remind their customers regularly which types of data are collected, and offer an opt-out option. “That’s a pretty good approach because, if you as a consumer are not comfortable with something, you can turn it off,” Donchak said.
Beyond the simple opt-in/opt-out model, another approach is to focus on informing consumers when and how their data is used. “Look at what Estonia does in health care,” said Will Ackerly, chief technology officer of Virtru. The country has deployed a centralized approach for unifying medical information that can notify patients when their data is accessed. “If a doctor reads your health record, you can get a text message,” Ackerly said. “The idea is to create a system that makes data self-protecting.”