The Internet of Things is a moving Regulatory Landscape
By Nicole Sandler, Vice President (VP) Fintech and Regtech, Barclays
As with many new technologies, it is important to consider the regulatory and legal challenges that arise from adoption of the IoT and the new regulatory frameworks that are being employed, particularly in an era where data is key. The General Data Protection Regulation (GDPR) and ePrivacy Regulation are two notable frameworks. It is anticipated that new business models will develop as a result of the development of the IoT and regulatory frameworks may be subject to change and evolution.
IoT and Data Privacy
In a number of cases, IoT products collect data on their users and their interests and behaviours, all of which are of great value to businesses. From a legal perspective, most of this data will be classified as personal data and is therefore subject to protections both in terms of data protection and data security.
In May 2018 the GDPR comes into force. The aims of the new GDPR are to harmonise the current data protection laws in place across the EU Member States, to make companies take the issue of data protection more seriously, and to strengthen an individual’s rights over their data. Whilst not all IoT use cases are about personal data, some are, and therefore GDPR will need to be taken into account, not least because there are substantial fines for non-compliance or data breaches (up to the higher of four percent of annual worldwide turnover and EUR20 million). Moreover, it is worth highlighting that this regulation has extra-territorial scope, and therefore also applies to businesses based outside the EU that offer goods and services (even if they are for free) to consumers, or that monitor individuals in the EU.
In addition to the GDPR, another framework that specifically mentions the IoT is the ePrivacy regulation which focuses on all electronic communications.
With the explosion of devices and sensors, cybersecurity takes on a whole new dimension, not just for financial institutions, but also for their customers.
Whilst the text is not yet finalised and the date of enforcement is still unclear, the future ePrivacy rules could end up eclipsing the GDPR where IoT is concerned, as a result of its wide significant scope of application which could potentially cover all data related to connected devices. Akin to the GDPR, this regulation also looks to be armed with equally large fines and extra-territorial application.
Too Early to Regulate
Regulators have been considering whether to regulate IoT technologies for several years already. They have so far not proposed concrete new regulatory approaches to the IoT, opting instead for recommendations of principle, in particular stressing the need for developers to adhere by the practice of privacy and security by design.
Furthermore, policy-makers’ focus is largely on the promotion of open standards for IoT communication protocols to avoid fragmentation and to foster interoperability for IoT technologies to reach their potential. However, as the technology matures, it is apparent that they pose new threats that existing data and cyber-security regulation may not address. This notably includes the need for clarification on the allocation of responsibility for security breaches or liability for damages resulting from a fault in a connected device.
It is imperative that the industry, policy-makers and regulators work together to mitigate the risks. There are various ways for firms and businesses to engage with both regulators and policy-makers. A common approach is to respond to discussion papers (DPs) and consultation papers (CPs) or to attend roundtables. Over the past couple of years there has been an increase in roundtables, DPs and CPs from international regulators, policy-makers and supranationals (including ESMA, IOSCO, the ECB and the European Commission), and domestic regulators and policymakers (including the FCA). Other key approaches include attending working groups, public hearings, bilateral meetings, conferences and through forums/tools such as the FCA’s sandbox - a safe space for businesses to test innovative products, services, business models and delivery mechanisms in the real market, with real consumers. These forms of engagement allow the industry to educate each other and understand the problems and pain-points in order to collaboratively understand how these should be approached and solved. As technology continues to help drive business models, the industry needs to continue engaging.
IoT Complexity Magnifies Cyber Security Risk
With the explosion of devices and sensors, cybersecurity takes on a whole new dimension, not just for financial institutions, but also for their customers. Whilst the IoT provides new ways for businesses to create value, at the same time data sharing and connectivity offers new opportunities for information to be jeopardized. For instance, a key issue with low-priced IoT devices which are connected directly into the public internet is that they have a low security threshold and are unlikely to have regular security patches. This has been exploited by the Mirai botnet which targets vulnerable devices. While to date Mirai infected bots’ attacks have been most prevalent in Europe and the US, Mirai infected bots are a global phenomenon. In 2016 security researchers determined that over a half a million IoT devices located in 164 jurisdictions were vulnerable to Mirai. Due to the compound effect of the numerous devices it would be beneficial if devices connected to the internet should have a regulatory requirement to meet a certain threshold of both initial security standards and ongoing bug fixes.
According to a report by Gartner there will be over 20 billion connected devices by 2020, all of which represent a portal to the network which can be hacked or compromised. Therefore, the promotion of security by design is essential to guaranteeing end-to-end security across the whole financial services chain.