Each day, nearly six million devices connect to the Internet. The International Data Corporation estimates that by 2020, there will be 26 times more devices connected to the Internet than people! With the rapid growth of Internet “gadgets” such as Fitbits, NEST home automation systems, refrigerators that email you a grocery list, and all of the phones and tablets in use, it is easy to understand the explosive growth in the “Internet of Things” (IoT).
As the IoT continues to expand, business owners are struggling to keep up, especially in regard to device privacy and security. These employers must manage any potential risk to customers and vendors arising from the conduct of their employees, while also protecting the employees’ best interests.
The first concern for an employer is to minimize the risk of a data breach resulting from careless or rogue employees. Minimizing this insider risk is often the first line of defense. Although data security is usually seen as an “IT concern”, it is an issue for any business that wants to minimize potential liability. Companies should consider conducting a privacy or security risk assessment, minimizing the data they collect and retain, and testing their security measures before launching their products. As for personnel practices, organizations should train all team members about good security practices.
For companies who process or store IoT data, they should only store necessary records and information for the correct period of time and in the proper format. A business is in a better position in any litigation or government investigation if it can show that it took reasonable steps to protect confidential data within its possession. Most states already impose data breach obligations on companies, and some jurisdictions even require a written information security program (WISP) outlining what they have done to protect confidential data. This process involves using specific policies and employment agreements related to the storage and dissemination of IoT and other electronic data, as well as training of individuals with data access.
Employee training options include:
• Teaching employees about the importance of data security to create a culture of awareness and safety;
• Implementing policies on what data is retained, how long it is retained, and how it is stored and protected;
• Adopting policies addressing employee use of laptop computers and other mobile devices, including bring-your-own-device policies;
• Developing policies on employees using public WiFi while outside of the office and requiring the return of all mobile devices and information from employees upon job conclusion;
• Implementing checklists and procedures to block computer system access for any terminated employee;
• Establishing programs to monitor employee compliance with security, including potential internal attacks to determine employee vulnerability; and
• Developing appropriate password and encryption policies with assistance from IT.
The IoT gives business owners the ability to have a more efficient, productive and healthy workforce. However, prudent businesses will take the necessary steps to not only protect themselves against data breaches caused by employees, but will also take steps to ensure that to the extent an employer obtains employee health data, appropriate steps are taken to protect the privacy and proper use of that information.
If you need help making sure that your business is secure and ready for the IoT, contact Dorset Connects.