2
informs patients’ diagnosis and treatment.
6
Connected cars offer both safety and convenience
benefits, such as real-time notifications of dangerous conditions and smartphone starter and
sound-system control.
7
And home IoT devices called “water bugs” detect flooding in basements,
while other devices monitor energy use, identify maintenance issues, and remotely control
devices such as lights, ovens, and wine cellars.
8
Consumers also may purchase devices such as
Internet-connected locks, burglar alarms, cameras, and garage doors for their physical safety.
But such benefits may be foreclosed if IoT devices themselves are a hazard. Like any
other consumer product, IoT products might present hazards such as fires and burns, shock, and
chemical exposure. IoT devices might also create additional technology-related hazards
associated with the loss of a critical safety function, loss of connectivity, or degradation of data
integrity.
9
For example, a car’s braking systems might fail when infected with malware,
10
carbon monoxide detectors or fire alarms might stop working with the loss of connectivity,
11
and
corrupted or inaccurate data on a medical device might pose health risks to a user of the device.
12
Consumers’ physical safety could also be at risk if an intruder had access to a connected lock,
garage door, or burglar alarm.
Requiring IoT devices to have perfect security would deter the development of devices
that provide consumers with the safety and other benefits discussed above.
13
Conversely,
insecure devices can erode consumer trust if consumers cannot rely on the safety and security of
workshop-entitled-internet-things-privacy/150127iotrpt.pdf (discussing benefits of the IoT) (Commissioner Wright
dissenting and Commissioner Ohlhausen issuing a concurring statement).
6
Id. at 7-8.
7
Id. at 9.
8
Id. at i and 8-9.
9
CONSUMER PROD. SAFETY COMM’N, POTENTIAL HAZARDS ASSOCIATED WITH EMERGING AND FUTURE
TECHNOLOGIES, 16 (Jan. 18, 2017) [hereinafter CPSC EMERGING TECHNOLOGIES REPORT],
https://www.cpsc.gov/content/potential-hazards-associated-with-emerging-and-future-technologies
(citing
potentially new consumer product hazards related to IoT, including loss of safety function, loss of connectivity, and
issues related to data integrity).
10
See, e.g., Jeff Plungis, Your Car Could Be The Next Ransomware Target, CONSUMER REPORTS (June 01, 2017),
https://www.consumerreports.org/hacking/your-car-could-be-the-next-ransomware-target/
. See also Catalin
Cimpanu, Volkswagen and Audi Cars Vulnerable to Remote Hacking, BLEEPINGCOMPUTER (April 30, 2018),
https://www.bleepingcomputer.com/news/security/volkswagen-and-audi-cars-vulnerable-to-remote-hacking/ and
Andy Greenberg, After Jeep Hack, Chrysler Recalls 1.4 M Vehicles For Bug Fix, WIRED (July 24, 2015),
https://www.wired.com/2015/07/jeep-hack-chrysler-recalls-1-4m-vehicles-bug-fix/.
11
Cf. Richard Speed, Three-Hour Outage Renders Nest-Equipped Smart Homes Very Dumb, THE REGISTER (May
17, 2018), https://www.theregister.co.uk/2018/05/17/nest_outage/
(reporting that an outage in the Nest system left
consumers “unable to arm/disarm or lock/unlock” their homes remotely, leaving frustrated consumers to set their
alarms and lock their doors manually).
12
Shaun Sutner, FDA and UL weigh in on security of medical devices, IoT, IOT AGENDA,
https://internetofthingsagenda.techtarget.com/feature/FDA-and-UL-weigh-in-on-security-of-medical-devices-IoT.
13
The FTC does not expect perfect security. See e.g. Prepared Statement of the Fed. Trade Comm’n, Protecting
Consumer Information: Can Data Breaches be Prevented? Before the Committee on Energy and Commerce,
Subcommittee on Commerce, Manufacturing, and Trade, U.S. House of Representatives, 4 (Feb. 5, 2014),
https://energycommerce.house.gov/hearings/protecting-consumer-information-can-data-breaches-be-prevented/
(“[T]he Commission has made clear that it does not require perfect security; that reasonable and appropriate security
is a continuous process of assessing and addressing risks; that there is no one-size-fits-all data security program; and
that the mere fact that a breach occurred does not mean that a company has violated the law.”)