The Internet of Things (IoT) is the next step in the rapid evolution and development of Big Data. As you know, IoT can be visualized as a web of connected devices—office gadgets, personal electronics, vehicles, etc.—that communicate with each other without the need for human control or supervision. Like any new technology, IoT brings with it a host of legal and ethical issues. CIOs should make an attempt to understand the complex concerns that IoT will bring, while also understanding that integration of IoT into a company will be both inevitable and, ultimately, beneficial. In particular, the following five concerns may keep any CIO up at night, and should remind everyone that IoT should not be ignored.
1) IoT is Expanding—Fast
Why should a CIO worry about IoT? The answer is that IoT is poised for rapid expansion. Despite the advent of notable IoT products like smart doorbells and thermostats, we have just begun to see the benefits of IoT devices. Consumers and businesses alike will reap the benefits of IoT, but must also be wary of the potential pitfalls. These include general concerns about the loss of privacy, and the exposure of IoT devices (and the data associated with them) to internal and external threats. Companies, and particularly CIOs, must appreciate and prepare for the risks associated with IoT before they can fully enjoy the benefits. Specifically, CIOs should be concerned with how best to address data storage and capacity, backup and retention of potentially privileged data, and exposure to new cyber security risks associated with IoT.
2) Data storage and capacity management
According to analyst firm Gartner, “IoT deployments will generate large quantities of data that need to be processed and analyzed in real time.” The large quantities of data being stored will greatly increase data center workloads, leaving CIOs with new capacity and analytical challenges to address. CIOs will therefore have to establish a more “forward-looking capacity management” process, taking a proactive instead of reactive stance to securing storage for their company’s IoT data needs.
“Integration of IoT into a company will be both inevitable and, ultimately, beneficial”
How data is stored greatly affects how it is collected. Today’s litigation professionals are always playing a game of catch-up, trying to figure out how to address new data sources after they become mainstream. For example, electronic discovery professionals today are working to develop collection protocols for data contained in social media platforms, SnapChat applications and text messages. When IoT devices become the norm, both CIOs and ediscovery professionals must address some of the following concerns: who is in control of IoT device, the format of the data being generated from relevant IoT devices, and how IoT data can be cost-effectively gathered for litigation processing and review.
3) Data management policies
In addition to data storage concerns, IoT explosion is driving backup and retention difficulties. With limited storage space on current IoT devices, most IoT technologies integrate with existing technologies today. As such, it is likely that IoT data also resides on another device (e.g, smart phone, tablet, or server), meaning the data is probably already backed up and governed by existing corporate policies and practices. For example, smart watches like Pebble need to be connected to a smartphone to access email, text messages and social media accounts. However, as IoT devices become more stand-alone, with greater capacities to store data without the assistance of another device, corporate information governance and “bring your own device,” or BYOD, policies will need to expand to include considerations for these hypermobile IoT devices.
IoT devices and BYOD policies will create growing ambiguity for CIOs and legal professionals as to what data are relevant to a suit and if any privilege or privacy concerns exist. The first step will be to efficiently remove superfluous data in the growing sea of information from IoT devices. An added complexity for CIOs and legal professionals will be to draw the line between personal data and corporate data that is relevant to the legal matter, while sufficiently protecting private data, such as personally identifiable information or financial and health information. This will be especially challenging as the line between personal use and corporate use is blurred by IoT devices and BYOD policies.
4) Cyber-security and hacking
IoT innovations will create concern for CIOs over a multitude of security issues, including cyber-attacks, data breaches and hacking. A recent study from HP Security Research found that 70 percent of Internet-connected devices are vulnerable to some form of hacking. As IoT continues to expand, there are rising concerns about the increased number of entry points for hackers into the smart home or office. The challenge for CIOs will be to make sure IoT devices are tamper-proof to ensure their physical connections cannot be modified, their operating system or firmware is unalterable, and any data they contain is void of extraction in an unencrypted form. In addition, no matter how secure IoT infrastructure, CIOs will still have to pay extra attention to the security of the data center that stores and processes data that comes in from IoT equipment.
5) IoT is Coming. Embrace it (cautiously)
Despite the concerns about data, cyber security and privacy, IoT will also bring many benefits for companies. While many CIOs may wish to avoid the murky legal and ethical issues associated with IoT entirely, it will be impossible to do so. Other depar tments within a company, such as marketing departments for example, will likely want to embrace IoT much more quickly. As IT departments and these othercorporate departments begin to collaborate together to achieve company goals, CIOs should expect to be pulled into IoT issues sooner rather than later, and should work to anticipate the problems that will develop. Preparation will be the key to success. Diligent CIOs must pay attention to the potential legal ramifications of racing haphazardly into an area where ediscovery rules, regulatory oversight, and security measures are still lagging behind.