- April 7, 2021
- Bill Tolson|
- Data Privacy|
- Records Management|
- Information Management|
- Information Security|
- Information Technology|
I remember, back in the late 1990s, when I was working at HP, seeing HP Lab’s very early demos of their “Cooltown” project for the first time. The goal of Cooltown was to provide infrastructure for “nomadic computing”, a term the project used for human-oriented mobile and ubiquitous computing. The briefing I received included the concept that every electronic device would be connected to the internet (including a future mobile internet) and would be continually communicating with each other. For those of us able to review the concept, it was mind-blowing. In my mind, this was one of the earliest visions of the Internet of Things (IoT).
Fast forward to 2020 and IoT is now a well-established fact, accelerated by the proliferation and acceptance of cloud computing. The proliferation of next-generation Internet of Things (IoT) devices is beginning to flood the market and open many new use-case possibilities – and business considerations.
In an article published earlier this year, Business Insider estimated that by 2025, the total number of IoT devices would surpass 64 billion. Research from Fortune Business Insights estimates that the overall market size will reach $1,102 billion by 2026. While the IoT technology stack has advanced dramatically in recent years, the technology and potential use cases are still in the early growth phase.
The adoption of IoT devices by all sectors will provide numerous advantages for companies and industries, including in healthcare, manufacturing, hospitality, transportation, aggro-tech, and finance, as well as many more. But to organizations in the early phases of adoption, it’s still a mixture of technical standards and conflicting opinions. Most, however, agree that it has enormous potential - if the data generated by IoT devices can be captured, managed, and utilized correctly.
Some questions to consider:
The first thing to keep in mind: any data can be asked for via eDiscovery request if potentially relevant to the case. This includes data generated from IoT devices. In fact, there have already been many legal cases that involved IoT data discovery. For example, the discovery of pacemaker data in a murder case, the discovery of smart speaker data, discovery of fitness wearable data, and discovery of biometric device data. As more companies adopt IoT devices throughout their organizations, everyday things such as refrigerators, coffee makers, smart light bulbs could become a focus of discovery.
Like all other forms of corporate data, IoT data does not explicitly need to be retained and managed, (just in case of a future eDiscovery request). However, if an organization with IoT devices can anticipate (reasonably foresee) a future lawsuit, their duty to preserve potentially relevant data (including data from IoT devices) is triggered immediately from that date. This duty to preserve stems from the amended (2015) Federal Rules of Civil Procedure (FRCP) Rule 37(e).
There are two distinct topics under the concept of anticipation: when that duty is triggered, and what data is covered under it. The trigger is usually an event such as news stories, other industry lawsuit filings, or even overheard conversations that can go back years. A compelling case, Micron Technology v. Rambus, 2009-1263 (Fed. Cir. May 13, 2011), shows how a lack (or the ignoring) of anticipation can cost you big time. What potential evidence must be preserved is a bit more of a grey area because very early on, the specifics of the case may not be known. Hence GCs from many companies erring on the side of caution and initially over-preserving data. As more of the case becomes known, attorneys will fine-tune what data is required, reducing the data on legal hold.
Many of the current IoT devices have limited capabilities to store the data they generate. Some will transfer data to an individual cloud account. However, if you have thousands of IoT devices and individual applications, how can your corporate legal team place legal holds in the first place, much less search thousands of cloud accounts? Another question: do these devices reset themselves, or do they overwrite data once their limited storage is full, losing all the data still onboard the device? Wouldn't this amount to a destruction of evidence?
A fascinating question: what percentage of GCs would even think to consider data residing in the many IoT devices propagating the average business? i.e., smart light bulbs, coffee machines, copy machines, printers, security and access controls, climate controls, equipment IoT trackers, Alexa for Business, self-vacuuming Roombas, smartwatches, and smartphones. The point is, soon, there will hundreds or thousands of IoT sensors in an average corporate environment that could be relevant in litigation. Such devices represent a huge new source of evidence for a plaintiff’s lawyer.
For many attorneys, accessing IoT devices is not considered practical, nor in many cases is there an actual process to capture IoT data into a repository that can easily be accessed and managed. However, based on the already established rule that any data can be asked for via eDiscovery request, enterprise IoT data will begin to appear in eDiscovery requests soon.
A July 2018 Deloitte report on the Internet of Medical Things (IoMT) estimated the IoMT market will be worth $158.1 billion by 2022, up from $41 billion in 2017. Advances in medical technology (medtech), as well as healthcare industry regulatory requirements, are driving the need for IoMT data consolidation and security.
In 2018, there were already thousands of different types of medical devices – a growing number of them considered IoMT devices. These include mobile devices like skin patches, insulin pumps, blood glucose monitors, pacemakers, implantable cardioverter defibrillators, and stationary medical devices such as in-room patient monitors, imaging devices, scanning machines, not to mention doctor’s mobile devices.
Innovations in IoT technology, including wireless technology and small device computing power, are powering a considerable rise in new IoMT devices. Connectivity and communications between independent IoMT devices are transforming modern healthcare, reducing the overall risk of misdiagnosis, and increasing healthcare worker productivity. However, connectivity and the ability for devices to utilize different IoT device formats still have a long way to go. Additionally, many IoMT devices have limited storage capacity, so without constant management, the possibility of critical data loss still exists. IoMT device data interoperability requirements for unrestricted data use is a huge challenge to realize the potential benefits mentioned above.
IoMT device and cyber data security is an absolute requirement for hospitals to embrace the IoMT fully. The liability of lost, corrupted, and breached IoMT data will drive litigation costs and regulatory fines to unplanned for levels. Medtech vendors will need to establish real-time device monitoring, real-time cyber-threat modeling, analysis, and threat mitigation.
To alleviate these challenges, hospitals need a centralized Vendor Neutral Archive (VNA) as part of an integrated governance network for capturing, securing, managing, and analyzing all IoMT data streams to meet regulatory data retention requirements, security and access control, cost control, and to aid in AI-assisted critical insights and diagnosis. The unobstructed use of IoT across all areas in a hospital (because of common formats and consolidated data storage) can significantly contribute to increased accuracy in patient diagnosis and treatment, without increasing costs.
IoT devices have become a primary target of cyber-criminals as a way into corporate networks. But what about the security of the actual data generated by IoT devices.? In 2019, IDC estimated that by 2025, IoT devices are expected to create 79.4 zettabytes of data. Corporate IoT data will contain a great deal of sensitive information that companies would rather not leave the enterprise. A large percentage of this data will contain data from video surveillance operations, but additional data types will include data from personnel tracking, security operations, and manufacturing operations.
In 2019, the United States Senate Homeland Security Committee advanced a bill designed to govern the security of the Internet of Things. The "Internet of Things Cybersecurity Improvement Act of 2019" sets baseline cybersecurity standards for IoT devices purchased by the federal government. Sponsor Senator Mark Warner (D-VA) stated:
"This legislation will use the purchasing power of the federal government to establish some minimum security standards for IoT devices."
The Electronic Privacy Information Center (EPIC), a public interest research center in Washington, DC, recently told Congress that "the IoT network is the weak link in consumer products" and urged the establishment of mandatory privacy and security standards for all IoT products.
Many IoT devices are managed by their own specific applications, for example an iPhone application which wirelessly monitors the temperature of your office. Without a common data format and data consolidation, the storage, management, and utilization of the data across the enterprise will be complicated and not yield the results many hope for.
Additionally, the unconsolidated nature of IoT data streams will make it much harder to find and secure sensitive data as well as make it near impossible to run analytics and eDiscovery search/review.
A first step in addressing your IoT fragmented data environment is to consolidate all enterprise IoT (or IoMT) data into a centralized cloud archive repository for greater security, retention/disposition, legal hold, AI-assisted analysis, and export. In reality, what’s needed is an IoT vendor-neutral cloud-based archive (VNCA).
The second step is to encrypt all archived IoT data, on-premises, before movement to the cloud archive, in such a way as to allow ongoing utilization of the data, i.e., management, analytics, and eDiscovery. One of the few ways to do this is to use homomorphic encryption - an encryption scheme that enables analytical functions to be run directly on encrypted data while keeping the data fully secured. By encrypting the data before being moved to the cloud archive, you maintain full control of the encryption keys, on-premises, instead of letting the cloud vendor create and manage your encryption keys.
IoT data will quickly become a tremendous asset, as well as a huge liability for organizations. Businesses and government agencies will need to treat IoT data as they would their other sensitive data.
To find out how Archive360 can help you address your IoT data archiving needs and how our homomorphic encryption is helping some of the most security-conscious organizations in the world protect and control and the security of their data, click the Contact Us button at the top of the page.
Your legal, compliance and security teams rely on having an immutable copy of all of your emails. Office 365 archiving does not support journaling. So what should we do?
This eBook provides actionable tips to empower IT to solve the problem.
Bill is the Vice President of Global Compliance for Archive360. Bill brings more than 29 years of experience with multinational corporations and technology start-ups, including 19-plus years in the archiving, information governance, and eDiscovery markets. Bill is a frequent speaker at legal and information governance industry events and has authored numerous eBooks, articles and blogs.