There’s an unwritten rule that if you blog about manufacturing, you must blog about the Internet of Things. I blog about manufacturing, so here we are.
Here’s the thing: I think IoT is very cool and very exciting for the manufacturing community at large. But for the most part, it doesn’t raise legal issues that are particularly novel. I’ve read all the same articles you have about protecting intellectual property and this and that, but that’s already a concern for manufacturers, and the framework for dealing with it is already there and we deal with it every day. So I stayed away from the Obligatory Post on the Internet of Things.
But as I was looking at this story about how Adobe may have collected personal data about its users and transmitted it in plaintext so it could be intercepted easily by others, an aspect of IoT that I haven’t seen explored in legal discussions struck me.
Manufacturers will soon have to worry about customer data privacy.
Not protecting IP. Not protecting customer lists. But watching what data they actually collect and what is done with that data.
This will be a new world for manufacturers. Even technology companies can make simple mistakes of inadvertently collecting customer data that they aren’t supposed to collect, or inadvertently transmitting that data in unencrypted form. And those problems expose the companies to legal trouble, not to mention that they’re a public relations nightmare. Remember when it was revealed that Sony didn’t encrypt its users’ personal information?
So let’s say you manufacture a refrigerator that can detect when you’re low on groceries, and allows you to order more, like this one. Now let’s say that, as part of that, it needs to know your name, address, and credit card number (not to mention your yogurt preferences). You can see the problem that a data breach would pose.
Data breaches are governed by a patchwork of laws, as I’ve written before in the context of customer notification obligations, and civil liability remains an open question. This may well prove to be a source of spectacular legal exposure. So get in front of it. Get counsel in the room with the business leaders and programming group to see what can be done to prevent possible breaches, and how the costs of preventive measures compare to anticipated costs of a breach. I submit to you that the time for this meeting is at the beginning of the product development process, not as an afterthought as the product is getting ready to go to market.
So, I’m on board: IoT is interesting from a legal perspective. I’ll get around to my obligatory post on 3-D printing soon enough.
[UPDATE: I’m not the only one who thinks this! The good people at Jenner & Block have already started a practice group dedicated to data breaches, and their practice group leader identified IoT as one of the areas with the “greatest potential for growth within the data privacy legal practice,” which is never something you want to hear about your product development plans, but that doesn’t make it any less accurate.]