Legal Watch: The Perils of the IoT

Sept. 10, 2015
Work with your counsel, advisors and experts to limit the enhanced cyber risk that comes with the Internet of Things

The Internet of Things, or IoT, is relatively new, and it offers both benefits and potential risks. Security providers should enjoy the benefits — but ignore the risks at your own peril.

Broadly speaking, the IoT refers to devices connected to the Internet for the purpose of information transfer or process automation. The world is installing more and more devices that yield productivity, cost savings and pleasure. Yet, serious unintended consequences accompany the IoT. For electronic security providers, they open a subscriber’s most precious assets to unwanted intrusion and theft.

The Target stores breach is a vivid case in point. Intruders accessed Target’s trove of customer-related personal information through its HVAC vendor (a classic IoT combination), and Target failed to notice the theft until it was too late. Security professionals were not surprised. They knew the IoT has expanded the attack surface for the bad guys. Devices that are increasingly embedded in premises provide many more Internet points of entry for unwanted intrusion. What strikes me is how easy it is to imagine this happening to a security contractor rather than an HVAC contractor.

Target is an inviting target (no pun intended). You may think no one would bother to go after other, smaller businesses because they are simply too small for anyone to care — not true. According to a Verizon Data Breach Investigations Report, and other similar reports along the same lines, “We see victims of espionage campaigns ranging from large multi-nationals all the way down to those that have no staff at all.”

Other studies reporting that the vast majority of cyber-attacks are aimed at small businesses are equally sobering. “The scary thing about this number is that the small businesses are usually the least equipped to protect against an attack,” according to an Aeris Secure report. “Most hackers will prey on the weak. With technology being so prevalent in all businesses, few can afford to not pay attention and do whatever they reasonably can to protect their business and assets.”

This should be a wake-up call for all business owners. If you are paying attention but are simply overwhelmed by the deluge of scary information hitting your inbox every day, the question becomes: What can a business owner reasonably do to protect the business from cyber-attacks emanating through the Internet of Things that likely will result in loss of critical assets, reputation and remediation time and money?

You can and should be able to address your IoT exposures, and many others associated with your Internet presence, efficiently, cost-effectively and in a timely manner. Because your exposures are both related to information technology and not, your counsel and trusted IT governance and security partners should be on your team. A few lawyers are recognizing that, in this ever-expanding cyber-risk field, lawyering alone will not get the job done. By the same token, forward-thinking IT governance and security professionals know there is a lot more to the incoming risks than can be handled by IT protection alone.

It is critical that leadership at the top sees to it that data, device and process security are seen as an enterprise concern. With the right legal counsel and IT governance and security professionals on your team, you can effectively address both the IT and non-IT risks embedded in the IoT.

I strongly recommend that you have the conversation with your counsel and ask for a plan to assess and remediate your real-time risks. Your goal should be to achieve the ability to make informed risk-management decisions about your multiple risks, specifically whether to remediate them, transfer them by way of cyber-insurance or ignore them. Whatever you decide, you’ll be much more likely to make the right call with the right cross-disciplinary team in place.

Eric Pritchard is a Philadelphia lawyer who spends his workday making the world safe for electronic security providers. He can be reached at [email protected]. This column does not constitute legal advice; contact an attorney with questions. 

About the Author

Eric Pritchard | Eric Pritchard

Eric Pritchard is a partner in FisherBroyles, a law firm with office throughout the United States and in London. He spends his days trying to make the world safer for the security industry. You can reach Eric at [email protected].