WHEN THE INTERNET OF THINGS FLOUNDERS: LOOKING INTO GDPR-ESQUE SECURITY STANDARDS FOR IOT DEVICES IN THE UNITED STATES FROM THE CONSUMERS' PERSPECTIVE.

• Author: Siegel, Jeremy

1. Introduction

   The "Internet of Things" can be described as "objects with sensors networked together that are capable of communicating with one another." (1) With the rising prevalence and sheer number of uses Internet of Things ("IoT") devices can be deployed, Americans are facing more vulnerabilities and risks of having their data breached than they ever have before. (2) With an increase in the number of devices the average person interacts with on a regular basis comes more access points where a breach could occur, and consumers are not even aware of this risk. (3) The Internet of Things spans across every socioeconomic and demographic group in the world, including the homeless community, which utilizes smart phones to keep in touch with family and social workers. (4) The Internet of Things is also helping developing countries propel businesses, education, agriculture, and healthcare. (5)

   The vast majority of everyday, average consumers use these devices to help make their lives easier by streamlining routine functions, despite not knowing how their information is being secured on these devices, or how secure the devices themselves are. (6) Aside from the dangers that consumers face when IOT devices are hacked, businesses also face considerable risks given the vast amount of customer data they hold, which is an attractive target for hackers. (7) As data breaches increase in regularity, especially amongst corporations such as capital one and Marriott, consumers are becoming numb to these stories, are not taking the risks seriously, and do not know how to protect themselves. (8)

   The risks of data breaches caused by IOT devices are grave, and unfortunately, there are a variety of barriers preventing injured consumers from obtaining a proper remedy if they are injured by one. (9) From a purely legal cause of action perspective, there is not a single tried and tested, successful legal theory that consumers can rely on to bring a cause of action against an IOT manufacturer. (10) From a procedural stand point, recent cases have shown the difficulty that victims of data breaches face when trying to satisfy the standing requirement that stems from Article III of the U.S. Constitution, halting any chance of recovering damages. (11) Despite the legal theory and procedural fences faced by consumers, there have been some recent successes where courts have recognized standing for breached consumers that could not show they suffered a tangible "injury-in-fact." (12) Though companies are continuing to invest in security infrastructure to prevent data breaches, there is still no widely accepted or recognized definition of what "negligence" or "standard of care" is for IOT companies. (13) This lack of a definition is leading to a lot of uncertainty regarding how consumers can protect themselves. (14)

   Federal legislation in the united states revolving around cyber security--whether it's guidelines for companies, specific industries, the government, or how consumers should be notified if they are a victim to a data breach--is incredibly dispersed and lacking in clarity. (15) Because federal legislation is very ad-hoc and piece meal in the united states, with various industries and verticals supported by different acts instead of one general branch or statute, consumers affected by a data breach have a difficult time determining what legislation to rely on. (16) compared to federal laws, each of the fifty states have their own way of handling data breaches. (17) The European Union recently enacted the General Data Protection Regulation ("GDPR"), in May 2018, which is a lengthy answer to a lot of data privacy concerns. (18) The GDPR allows consumers to request their data be deleted from the hands of companies, requires companies to notify consumers when their information is breached, and clearly defines the repercussions for companies that do not comply with all of the provisions. (19) GDPR's impact, while only having been enacted for a brief period of time, is already affecting global corporations, because they need to ensure they are compliant with GDPR's requirements in order to continue doing business on a regular basis in the European Union. (20)

   Only with enacting similar legislation to the GDPR in the United States, combined with defining what security standards should be for IoT devices, can consumers sleep soundly at night, knowing they are protected if one of their devices is breached. In Part II, this Note will map out the history of data breaches, how companies and consumers are equally affected, and what companies are doing currently to help curtail breaches from occurring. This section will include an in depth look into the rise of cloud computing and how companies rely on cloud computing for data storage and security. Following this in Part III, there will be an overview of the components that make up IoT devices, and why security is lackluster on these devices. Finally, current legislation in the United States will be surveyed. After going through the procedural and legal issues that consumers face, in Part IV this Note will suggest a security standard for their IOT device manufacturers to follow, and a Balancing Test for the Cybersecurity and Infrastructure Security Agency to use for companies that are hacked despite adhering to this proposed industry standard.

2. History

   1. Data Breaches Today

      Data breaches have affected billions of people around the world since 2000, despite the fact that the overall amount that companies spend on IT security rose to $93 billion in 2018. (21) Data breaches now cost companies an average of $3.86 million for each breach. (22) Data breaches can occur in a multitude of ways, with varying routes of how a company's security infrastructure is penetrated, how the data is obtained, and the motive behind the hack. (23) one main reason that breaches occur is due to an error in the underlying coding of the security software. (24) Part of the reason that breaches occur is because companies may still be using "legacy" (outdated) hardware that requires difficult, intricate updates (also known as "patching") that may be incompatible with any modern components in a company's infrastructure. (25)

   2. Cloud Computing for the Modern Company

      Companies have various options to protect the data held in their networks, such as traditional hardware like firewalls; however, companies are increasingly migrating to a cloud based model, due to its elasticity and low maintenance costs. (26) cloud computing takes away the need for companies to manage their IT infrastructure in a physical on premise datacenter, thereby outsourcing the burdensome maintenance to a company like Amazon Web Services. (27) The security aspects of cloud computing are favorable for many companies--it takes away the pressure of companies needing their own security processes in place, because they have entrusted the cloud service provider to monitor and maintain their systems at all times in a central environment, or data center. (28) Despite the advantages of cloud computing for companies, problems arise with IoT devices because they are constantly gathering data that brings a new stream of traffic to a network, in addition to a company's normal network traffic. (29)

      Cloud computing is gaining in popularity, but despite its attractive utilitarian purposes, there are still security risks and ambiguities associated with it that do not get enough attention. (30) These issues include cloud service providers outsourcing some of their needs to other cloud service providers, making for an unclear boundary for who is responsible for the data. (31) Large global corporations that have the financial and legal resources to spend a lot on cloud computing will have greater leverage to ensure that their information is secure, whereas smaller companies are at a disadvantage purely from an economies of scale perspective. (32) Companies that contract with cloud service providers are able to recover some liability relief in the event of a breach, but the main liability is still in the company's hands. (33) There are a variety of factors that contribute to how data is stored in the cloud, what solution is being used, what kind of data it is, and how it's encrypted--all of which are major concerns for customers. (34)

   3. Technical Components of IoT Devices

      The inherent allure for consumers to invest in IOT devices is because they allow for sensors or devices to "talk" to the cloud and monitor routine activities, all of which is made capable by the specific hardware components in each device. (35) All of the components in a device, which are often designed, built, and assembled by different companies around the world, tend to not work very cohesively together. (36) What escalates this problem is that any compromises in the device will go unnoticed because it is the software underneath the surface that will be breached, not the physical hardware; so the device will seemingly function as normal until the user recognizes the issue. (37) The sheer complexity in the underlying code to operate computer software is vast, and with the amount of users that are using these devices, there are more access points for potential attacks. (38) With the number of variables involved with how an IoT device gets from the retailer to your hands, how the device is used, and how it's connected to a wireless network, the vulnerabilities are endless and gives hackers ample access to implement an attack. (39)

      The underlying capabilities that allow a device to have "smart" functions are inherently cheap to build into a device, and are becoming more prevalent in ordinary devices that do not necessarily require these capabilities. (40) The rationale behind ordinary household items like children's toys and kitchen toasters to have "smart" functionality is ultimately to let companies and industries collect more data, and the trend to have everything connected at all times...