Arbitrary and unclear regulations are bad for business. Just ask the many companies that have been in the crosshairs of a government agency because of an alleged wrongdoing. Such situations, I am afraid, are becoming increasingly more common for security systems providers. At issue, are some recent actions taken by the Federal Trade Commission against several security companies.
One thing the companies have in common is that their solutions are considered part of the Internet of Things (IoT). As discussed in my most recent post, many security products and systems are part of the IoT presenting significant security and privacy challenges for the makers of smart locks, doorbells, access control systems, and security cameras.
In these IoT cases, the FTC has alleged violations of Section 5 of the Federal Trade Commission Act which gives the FTC authority to prevent “persons, partnerships or corporations” from using “unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce.” Unfortunately for companies trying to do the right thing, the Act does not define what these terms mean in practice. Companies are often left to guess.
Guess wrong and your company could be in for a world of hurt. For example, one security company, once it became aware of a flaw in the security of its firmware, fixed the flaw. Despite that, consumer complaints prompted the FTC to act. What ensued for the security company were years of legal wrangling to defend itself. The FTC had offered to settle the matter but the terms of the settlement were unpalatable to the company. Terms such as allowing the FTC unfettered access to the company’s security practices and accounting records for 20 years.
Most companies, though, fearful of ongoing legal costs, succumb to the FTC’s bullying and agree to settle. What does a settlement mean? Mandated documentation of data security policies and procedures, mandated employee training, mandated annual assessments of internal and external security risks, mandated third-party evaluations. The FTC essentially takes control of the business away from the owners.
Many of these mandated actions are overseen for 20 years. As I see it, many of these actions should be put into practice anyway. Where I see a problem for the industry is that it loses control of when, where and why those actions should occur. When it’s best for the business or best for the government?
How to protect your company? There are no hard and fast rules because the regulations and enforcement actions are solely at the discretion of the FTC which is led by a politically appointed body of Commissioners.
A good place to start is when you are developing a new product or service. Consider:
- Whether the cloud services you are using (if any) are secure
- Forcing consumers to change the default log-in credentials
- Encrypting log-in credentials rather than transmitting them in clear, readable text (seems obvious but one company was cited by the FTC for this practice).
- How a bad actor might abuse or misuse your technology for nefarious purposes. When you identify a security risk, consider a defense-in-depth strategy by using layered security. Anticipating such actions can help you develop protective solutions in the design of the product itself.
- Paying attention to and adopting standards and best practices developed by the National Institute of Standards (NIST), the Security Industry Association (SIA), CompTIA, etc.
- Always designing your product or system with security and privacy in mind.
I think enforcement actions are going to get escalate for security systems manufacturers and users as nebulous laws and regulations proliferate. Complaints to the FTC can come from anyone – consumers, security researchers, even competitors.
Case in point, Carnegie Mellon researchers have created the IoT Privacy Assistant for use by anyone in the United States, Canada, European Union, Norway, Iceland, Switzerland, Liechenstein, New Zealand, and the United Kingdom. Using a downloadable app, users can see IoT devices within range and see what data those devices are collecting.
This app supports the trend, encoded in the General Data Protection Regulation and other regulations, giving citizens more control over their data privacy. Organizations can also use the IoT Privacy Assistant to publicize their IoT devices in use and their data practices. This can be good and bad. Robust data privacy practices associated with IoT devices can build trust with consumers – or not. The trick will be understanding what consumers, government regulators and non-governmental organizations (NGOs) like the ACLU consider robust privacy practices.
Transparency and adherence to your security and privacy practices are key to gaining customer trust. Unfortunately, the laws we must abide by are not equally as transparent and are often arbitrarily interpreted.