INSIGHT: The Internet of Things and Information Governance: What You Need To Know To Manage Data Streaming From Everywhere

Bloomberg Law’s® extensive network of  reporters and editors delivers authoritative, timely coverage on federal, state, and international laws governing the discovery process for...

The Internet of Things, or IoT, is transforming how we interface with the world. As companies unlock the potential of the IoT-enabled world by harnessing vast streams of data, executives have to be aware of the challenges posed by the very same data. We offer companies practical guidance on how they should view data and information governance to address these challenges.

Priya Keshav Jason R. Baron

By Priya Keshav and Jason R. Baron

Priya Keshav is Founder & CEO of Meru Data, headquartered in Houston, Texas.

Jason R. Baron is Of Counsel to the Information Governance and eDiscovery Group at Drinker Biddle & Reath LLP, in Washington, D.C.

The views expressed here are the authors’ alone and do not necessarily reflect the views of any firm or institution in which they serve or are associated with.

The Internet of Things, or IoT, as the name suggests, refers to a network of physical devices capable of exchanging data in networked environments. IoT has become transformational across almost every sector of the economy. According to a recent Gartner estimate, the number of devices connected to the Internet will grow from 8.4 billion in 2017 to 20.4 billion in 2020. Almost any device can be made “smart” through an online connection, and such devices come in all forms, from wearables on and implantables in the human body, to all manner of devices in the home, to automobiles and drones, and—scaling up to industrial size—to smart cities and energy grids. These devices exist today across a variety of industries with a spectrum of consumer and industrial use-cases.

At a high level, IoT devices can be grouped by usage; a non-comprehensive list of categories would include:

1) Mobile computing: Cell phones, laptops, and tablets; mostly to manage other devices;

2) Wearables: Watches, fitness trackers, cameras;

3) Implantables: Chips used to access offices and factories, health monitoring devices, smart pills;

4) Smart home enablers: Thermostats, coffee makers, alarms, door bells, refrigerators, etc.;

5) Vehicles and transportation infrastructure: Driverless cars, car monitoring devices, GPS, traffic monitoring, including through vehicle-to-vehicle communications, drones;

6) Connected cities: Traffic cameras, sensors, parking sensors; and

7) Industrial internet enablers in industries such as oil and gas, transportation, etc.: SCADA (supervisory control and data acquisition) systems, equipment failure monitoring sensors, RFIDs.

As customers and manufacturers push the boundary of what “ever-smarter” IoT devices can do, the C-suite must discuss the challenges that lie ahead and should anticipate that information governance policies will need to be overhauled to reflect IoT concerns. Obvious challenges are the petabytes of data being generated, how analytics can enable insights from this data, and the security of the data.

Less obvious but equally important are challenges around how to govern data from billions of devices, especially when used by multiple companies across industries. A policy framework for effective sharing of IoT data, within the enterprise and with third parties, will be important.

Understanding both the ownership of the data, and the ethics of using data from billions of devices, will be another facet of the governance challenge; in other words, who owns the devices, the data, and the insights derived from data, and how will rights and obligations be respected and enforced? Another critical governance challenge will be keeping abreast of regulatory requirements. These will inevitably evolve and eventually define restrictions on the cross-industry use of, and access to, IoT data in its many forms.

This paper illustrates some of the governance challenges around IoT and how an IG framework can incorporate IoT considerations. We address how today’s data and information governance frameworks can guide the management of IoT data. We discuss what companies can do now with respect to IoT, while industry-wide standards develop and mature. We believe the broad contours of an information governance framework can and should be developed today to meet the coming IoT data tsunami.

Technology Enablers for the Growth of IoT

Technological advances have fueled IoT’s rapid growth. First, capabilities around managing data (through advances in collection, storage, and transfer) have grown tremendously. Storage costs have fallen, while the reliability and speed of data storage and access (from flash memory, solid state hard drives, etc.) has increased. Today we can more efficiently and reliably transfer larger amounts of data, both in wired and wireless modes. This allows more devices to be physically remote without compromising reliability or speed.

Second, advances in machine learning have made possible the real-time processing of larger data volumes. These machine learning capabilities have grown in lockstep with rapid improvements in cloud-based processing.

These significant improvements in both computing infrastructure, combined with heuristic models that are trained by and capable of analyzing real-time data, could transform how we understand the world. As the extraordinary capabilities of IoT come into focus, consumers and companies discover completely new ways of solving problems. Multiple industries are likely to fundamentally change within the next five to ten years, as the potential of IoT is realized.

Business Drivers for the Growth of IoT

While a fully automated world remains science fiction, current IoT devices have made great strides towards an automated future. In the IoT devices that have gained traction, a few common business drivers become apparent:

1. Potentially increased access to consumer information;

2. Continuous efforts to reduce costs and improve efficiency; and

3. Focus on reducing enterprise risk.

Access to Consumer Information

Understanding the needs of the consumer drives business. With a huge influx of data from IoT devices, companies will likely develop, mine, and repurpose more detailed profiles on consumer preferences. This assumes consumers will detail their interests and preferences for companies. Two recent studies suggest many consumers are willing to share personal information, if they trust the companies involved and believe they will get something in return.

A Columbia Business School study found consumers were willing to allow greater control or share more personal details if that resulted in better services or reduced costs. Consumers were quite aware their data was sensitive and how companies would use it. Nevertheless, with a trusted company or brand, the study found 75 percent of consumers were willing to share their data in return for products or services, and 80 percent felt they could share their data in return for tailored special offers.

An Accenture study reported that 57 percent of respondents were willing to share information if they knew it would not be sold or shared. In addition, 56 percent of consumers wanted guarantees that data protection safeguards were in place before they would share information. Given the growing number of data breaches, digital trust and privacy is critical for consumers. Not surprisingly, around 92 percent of consumers felt it is extremely important that companies protect their privacy. Consumers reported frustration on how their data was being used, and fear that new intelligent services will learn too much about them. According to the study, 66 percent of consumers want companies to be more transparent as to how they use customers’ information.

As the surveys indicate, consumers might be willing to share personal information with companies they trust. But real-world experience also clearly shows that consumers expect the privacy and security of their data won’t be compromised. Nevertheless, companies can gain consumer trust around data, and also differentiate themselves, by demonstrating their governance efforts towards privacy protection and data security. A company with a stellar reputation for stewarding consumer data will gain a competitive advantage.

Continuous Efforts to Reduce Costs and Increase Efficiency

Increasingly, businesses have turned to automation to improve efficiency and reduce costs.

Reducing downtime is a chief way industrial companies can improve efficiency. With IoT companies can gather more data on virtually all aspects of their workflows. New plants and lines incorporate IoT devices by design, while IoT sensors can be retrofitted onto existing lines. Armed with advanced analytical capabilities and computing power, companies can better predict failures ahead of time, including when components might go down. Real-time views of plants and processes can improve safety by empowering companies to identify and stop unintended deviations.

Another clear trend across industry segments is that down-cycles result in dramatic transformations, and often the segment emerges leaner as a result. For example, in the recent downturn in the oil and gas industry, hundreds of thousands of jobs were eliminated. Significant improvements in automation mean that many of these jobs are unlikely to return, even when the industry picks up.

Another disruptive transformation is the advent of automated distribution centers like those run by Amazon and Walmart. On the consumer end, Amazon Go groceries eliminate cashiers, as every item is tagged and shoppers simply scan items under the watch of cameras and sensors.

Reducing Risk

Another key driver for IoT uptake is reduction of insurable risk. Improved predictive analytics, using more accurate data, can help companies predict and manage risk. This can reduce insurance costs. As an example, better prediction of turbulence can lessen overall downtime in wind power generation, and thereby lessen risk.

Reducing risks to lower insurance costs can be seen in the largest U.S. insurance market: personal medical insurance. Overall yearly medical insurance premiums are estimated to be upwards of $1.1 trillion. With more individual personal health data from IoT healthcare devices (from today’s step counters to more sophisticated health diagnostic devices of the future), insurers can better understand consumer risk profiles and possibly reduce overall premiums. The Accenture IoT study found that 78 percent of customers would provide more data to insurers in return for lower premiums.

Challenges to the Growth of IoT

Above we described the technological enablers and business drivers that fuel the growth of IoT. These factors are unlikely to diminish as IoT devices become ever more ubiquitous. However, as we look at today’s IoT use cases and imagine those of the future, there will be challenges to overcome. Not addressing these challenges upfront could slow the uptake of IoT devices.

Broadly speaking, these challenges fall into three types: technical, business, and governance. Here we focus on just the information governance challenges. These are especially important as the industry is beginning to understand, and develop a comprehensive view of, what governance entails in an IoT world.

We see information governance challenges around IoT as falling into six categories:

1) Security and privacy

2) Evolving standards

3) Data ownership

4) Increased collection and transmission of sensitive data

5) Increased liability from IoT

6) Evolving regulatory environments.

Security and Privacy Issues

Data security and privacy are becoming more important across all industries, given increasing data volumes and the spate of data breaches. These will only become more challenging in an IoT world, which will generate far more data, in networks that will have exponentially more end-points that can be potentially breached.

As IoT devices combine the physical and virtual worlds at a larger scale, inadequacies in today’s measures and strategies for digital security will quickly become evident. While patches might work in the short term, at some point organizations will need new security frameworks that span the entire cyber physical stack (including device-level authentication, application security, system-wide assurance, resiliency, and incident response models).

Today, a large fraction of IoT devices are not encrypted, providing easier access to an organization’s networks. In addition to the vulnerabilities they create for data breach, compromised IoT devices can be manipulated to behave differently. This could have disastrous consequences in, for example, medical devices that regulate insulin levels or cars with remotely controllable devices. While as of now there have only been the occasional reports of these devices being controlled remotely, it would be unsurprising to see more instances of inadvertent or malicious unauthorized control in the future – leading to potentially serious or deadly injuries.

Compromised devices can recruit more devices for attacks on other devices or the network. The compromised devices can launch different attacks on the network, such as a Denial of Services attack, which floods a network with illegitimate requests to block legitimate ones. An early example was the attack on the DNS provider Dyn in October 2016. Investigations revealed that over 100,000 malicious endpoints were used in the attack, and that a significant volume of attack traffic originated from Mirai, a malware that converted networked or IoT devices into a “botnet.” The Mirai malware infected residential cable TV boxes in this instance.

The National Institute of Standards and Technology (NIST) released in February 2018 a draft report on IoT cybersecurity standards. It analyzes at a high level the current state of cybersecurity standards for IoT.

Evolving Industry Standards

The footprint and capabilities of IoT devices expand rapidly. New players join continuously, and companies have been focused initially on proof of concept use-cases.. But we lack established standards around interoperability and backwards compatibility. Forward-thinking companies recognize this and are trying to set up long-term standards; however, at present different industry leaders are steering multiple concurrent efforts. The list below summarizes just some of them.

Others have recognized that multiple standards could be problematic and have formed working groups to review the standards. For example, the National Telecommunication and Information Administration (NTIA) formed a working group to review existing IoT security standards and initiatives. A similar European effort to document the landscape is contained in a report of the Working Group (WG3) of the Alliances for Internet of Things Innovation (AIOTI).

Table: Selected efforts to develop IoT standards 
Standard Focus area Details
Open Connectivity Foundation All IoT Formed out of the AllSeen Alliance (uses AllJoyn from Qualcomm) and the Open Interconnect Consortium (backed by Intel).
IEEE p2413 All IoT A unified approach to defining IoT architectures across industries and consumer devices. Does not aim to replace existing data formats but seeks to reduce the effort to share data among them. Currently in development.
EdgeX Foundry Industrial IOT and Consumer Consists of one standard for Industrial IoT and another standard for Consumer IoT. Advocated by the Linux Foundation.
ZigBee Alliance Interoperability layer Consists of standard for open IOT. Dotdot aims to be a universal language for IoT.
Z-Wave Interoperability layer It provides interoperability of devices from different manufacturers. Seeks to help developers integrate applications and services on Z-wave networks using cloud-based platforms like HomeKit.
Industrial Internet Consortium (IIC): Industrial IoT An effort to harmonize connected components in the industrial space (members include AT&T, Cisco, General Electric, Intel and IBM).
OpenFog Consortium Distributed computing Focuses on creating reference architecture for distributed computing.
3GPP Communication (Low power LTE) Category M1, NB1 are specifications for low-power versions of LTE from the 3GPP (cellular standards project). These are slower than regular mobile but use less energy and intended for small, battery-powered connected objects like sensors.
LoRa Communication (Low power WAN) A low-power, wide-area networking standard.

These different efforts inevitably increase uncertainty in both customers and companies as they make purchasing decisions. Additionally, companies need to manage existing (i.e., “legacy”) IoT devices built to a different, older standard, especially as vulnerabilities in the old standards are newly uncovered. For example, when older generations of devices with expiring encryption certificates are deactivated, companies might leave users out in the cold unless and until the devices are replaced. Companies need to understand the standards landscape as they chart plans for both legacy and new IoT devices.

Ownership of Data

The concept of data ownership is also changing as companies shift from selling products to providing outcome-based services. At both industrial and consumer levels, manufacturers control devices more actively after the sale to provide these services. Companies can manage devices remotely more than consumers realize; examples include Tesla improving battery life, and Apple slowing down performance in phones with older batteries.

Cross-Industry Partnerships Raise Significant Questions Around Ownership of Data

To maximize the impact of IoT, numerous partnerships have been forged across sectors. As IDC has reported, these efforts are more successful when the partnering companies also share IoT data. The shared data becomes critical, both to the partnering companies that use it to develop innovative solutions, and to the end consumer who gets better insights from an integrated look at the data.

In an IoT world, companies can better deliver measurable results to customers. However, it is unclear who owns the data at any point in time, or how the data is governed as it travels between companies in an integrated solution. Nor are there clear answers to fundamental questions such as who owns the IoT device, or the IoT-derived data as it is stored in different locations, or the insights that can be derived from the data, or how rights and obligations will be respected and enforced.

Complicating this further, many of the collaborative cutting-edge IoT solutions are treated as innovation projects; at least initially there is less focus on governance and security. Companies and their customers need to understand the ownership and ethics of using data from billions of IoT devices. And companies must be as transparent as possible to consumers on how they address the above ownership issues.

Additionally, to enable these cross-industry partnerships, software platforms facilitate data capture, aggregation, and exchange of data across the partner network. These networks will, in turn, lead to innovation at an unprecedented speed and scale. For instance, in the medical space, some new platforms support a wide range of connected devices that can all contribute patient health data, to improve hospital-to-home health and economic outcomes.

As part of the governance function, companies must put thought into how to manage data ownership once it is shared on this type of platform. Similarly, the auto industry stands at the threshold of a major transformation with driverless cars – the self-driving car is, in a broad sense, an IoT device. Technology companies and ride-sharing innovations have been at the forefront of these changes, in some cases in partnership with traditional auto manufacturers.

These innovations have led to consumer usage data being shared much more widely amongst many different companies. The governance functions in companies across this entire ecosystem can together shape the consumer experience in the future.

Increased Collection and Transmission of Sensitive Data

With increased collection and transmission of sensitive data from IoT devices to different servers and the cloud, it is important to understand the risks associated with moving data between customers and multiple companies and the risks that arise when this data is shared.

Companies typically encrypt data during transmission and anonymize any shared data. However, as has become apparent, anonymized data is not always completely anonymous. Either individuals associated with the data can be identified or patterns from the data might reveal other unintended information. For example, researchers from UT Austin identified individual users in an “anonymized” data set of 10 million movie rankings from 500,000 users that was released by Netflix – the researchers de-anonymized the data by comparing with other public data (IMDB data). More recently, it was reported that a widely used fitness tracking app published an anonymized heat map of its users’ biking and running paths that, when coupled with locations of known military bases, revealed the structures of bases around the world as soldiers ran around them.

These anonymized data sets raise interesting questions with practical consequences: Who owns the data, and how does ownership change when the data is loaded to the cloud? When the publication of an anonymized consolidation of the data ends up revealing more information than intended, how does the company deal with the user or parties affected? Governance of this data should mean anticipating and managing uses beyond the intended ones.

Companies storing this data have an additional area to be watchful of: data breaches. As IoT devices track and store everyday patterns as well as personal health attributes, companies need to evaluate the risk that data can in fact be linked back to users.

Increased Liabilities From IoT

As we’ve seen, companies need to review how IoT changes their risk and liability profiles. IoT can increase revenue by offering a service with a quantifiable output as opposed to a product. However, this alters the landscape of risk and liability, as customer relationships might continue for many years and might need to be redefined. In other words, the time period and nature of liability will change as the business model becomes more data-driven.

Evolving regulatory environments

Regulatory authorities in the U.S. and Europe have taken keen interest in IoT. The Federal Trade Commission (FTC) has a body of decisions that have enforced consumer rights under various statutes. In Europe, policies and guidelines on IoT have been put in place through the Article 29 Working Party’s 2014 guidance and will be expected to evolve under the General Data Protection Regulation (GDPR), enforceable after May 25, 2018.

The FTC issued guidelines for consumer-facing industries following a 2013 workshop on big data and connected devices. The FTC recommendations seek to enhance the privacy and security of consumers. They note that IoT devices have the potential to improve lives but also pose numerous security and privacy concerns that can undermine consumer confidence. They recommend that the longstanding Fair Information Practice Principles (FIPPs), especially around security, data minimization, notice, and choice, should apply to IOT. Some of the key recommendations include:

  •  Security: Companies should build security in the devices from the beginning. Devices should have multiple layers of security.
  •  Data minimization: Reasonable limits on collection and retention of consumer data can limit risks. However, the guidelines recognize that flexibility and balance in retention polices can enable future beneficial uses of data.
  •  Notice and choice: Providing notice and choice are important but are harder with IoT devices that lack a consumer interface. Companies need not offer choice when devices are being used in an expected manner, but they should offer information and choices for unexpected uses.

The guidelines support broad-based, technology-neutral legislation around privacy that would include IoT, but they recommend against IoT-specific legislation so that innovation isn’t hampered. However, existing tools would be used to ensure IoT companies have considered privacy and security.

The FTC also has brought numerous cases against companies that failed to reasonably safeguard and protect consumer data. Examples have included:

1) Trendnet Inc.: Settled with FTC after allegations that it misrepresented the security of its cameras. The cameras allowed hackers to webcast live feeds from hundreds of its customers’ homes. Trendnet was required to establish a more comprehensive information security program to protect the data its devices collects. The company was also required to obtain a third-party assessment of its security program every two years for the next 20 years.

2) Vizio: Fined $2.2 million and had to overhaul its data collection and sharing practices, after FTC allegations that the company had gathered smart TV users’ viewing data without prior consent and shared the data with third parties.

3) Vtech: The Department of Justice on behalf of FTC alleged the toy manufacturer Vtech collected personal information from kids without notice or consent from parents, as required by the Children’s Online Privacy Protection Act (COPPA), and did not use reasonable measures to protect the collected data. Vtech was fined $650,000 and is permanently prohibited from violating COPPA in the future.

4) Dlink: In a pending matter, FTC has alleged that router manufacturer Dlink failed to take reasonable steps to protect its routers, security cameras and applications. Dlink is also alleged to have failed to remediate known security flaws in a timely manner, causing considerable harm to its consumers.

European Union Article 29 Working Party Guidance

The European Union created a working party (WP29), per article 29 of the EU Data Protection directive, on how personal data should be processed and protected within the EU. The WP29, which has provided various recommendations on how to comply with EU data privacy legislation, will eventually be replaced by the European Data Protection Board under the EU GDPR.

The WP29 issued guidance in 2014 on three specific IoT developments – wearable computing, devices carried by individuals to record information about habits and lifestyles (quantified self), and household automation (domotics). The opinion drew attention to various security and privacy challenges raised by IoT devices and provided recommendations to various stakeholders (device manufacturers, application developers, social platforms and other data recipients).

The guidance recommended conducting privacy impact assessments before launching any IoT device or application. It also recommended that companies clearly communicate what type of data would be collected, and when and how it will be used, and that they obtain clear consent from individuals before collection. The stakeholders should also consider and accommodate the data subjects’ rights and provide the ability to access, modify, and/or delete personal data. It suggested that data minimization and other principles should be followed to ensure the security and protection of the data collected.

General Data Protection Regulation (GDPR)

The European Parliament, the Council of the European Union, and the European Commission passed the GDPR in 2016 to unify and strengthen the data protection rights of all individuals within the EU. The GDPR (Regulation 2016/679) became effective on May 25, 2018.

The aim of GDPR is to protect EU citizens’ right to privacy and protect them in the event of a data breach. The regulation applies to all corporations that act as either “ data controllers” or “ data processors” of EU residents’ data. GDPR applies to companies outside the EU, as long as they collect or process data from EU residents.

The GDPR requires organizations to implement appropriate technical and organizational measures to protect the data they have collected and/or processed and to protect the rights of EU residents. The regulation also grants EU residents a number of rights, including the right to a judicial remedy against organizations that failed to take reasonable measures to protect the security and privacy of collected data. Organizations not in compliance with GDPR can be fined up to four percent of annual global turnover or €20 million, whichever is greater.

Updating Information Governance Policies to Handle IoT

In recent years, the emerging discipline of information governance (IG) has helped to build a framework for corporations to deal with burgeoning data sources, through (i) appointment of a council of key officers dedicated to optimizing IG; and (ii) development of policies that define IG challenges, starting with an IG mission statement.

According to the latest “State of IG” survey from the Information Governance Initiative, a growing number of companies have an IG program in place with a standing IG committee comprising senior staff. However, anecdotal data suggests that even in cases where companies have improved governance of existing and legacy data sets, few companies have IG policies that handle IoT-specific concerns. Companies need to comprehensively address the special security, privacy, recordkeeping, and litigation considerations that IoT data raises. A well-thought-out approach can enable better analytical insights from the rich data being collected, without exposing the company to undue risk.

Corporations should think through their legal and compliance obligations with respect to retention and disposition of IoT data. IG officers and staff should inventory what types of personal data IoT sources collect. This not only constitutes best practice in the U.S. but will be required under the GDPR. And, as discussed above, a major challenge is not only that personal data is being collected from wearables, home devices, and the like, but that data can be aggregated in ways that lead to the de-anonymization of individuals.

Legacy records schedules are unlikely to account for the intake of IoT data. Thus companies should deliniate an appropriate data retention period. With GDPR compliance concerns in mind, records schedules should be in compliance not only with minimum retention periods set out in law, but also with any regulatory maximum set under the GDPR framework or otherwise.

One aspect of the IG function will be to preserve IoT data for “big data analytics.” To enable the business to gain deeper insights, the IG function should ensure that the right data, of the right quality, is available for analytics. This might require balancing (or reconciling) competing priorities within the enterprise: one that treats data as an asset that needs to be preserved, and the other that tries to ensure IoT data adheres to retention norms (and legal advice) regarding deletion of ephemeral data, especially of a personal variety.

Another IG function may be to ensure that consumers and employees get an appropriate level of transparency on how IoT data will be used and re-purposed, including through third party data brokers. Existing privacy, notice, and consent policies will need to be re-examined. In the future, it is likely that both consumers and regulators will expect notice and choice options for IoT data similar to those available for other data sources.

A built-in escalation process to an enterprise’s IG council, including involving the security and privacy aspects of IoT data, arguably will be an efficient way of handling novel concerns raised by the ingestion of such data. Technology will always outpace policies and regulations, but that should not excuse corporate responsibility to tackle, with appropriate policies or programs, novel issues IoT data raises.


The Internet of Things promises to transform our lives in ways both imaginable and unimaginable. There is no going back: we will soon be able to collect and analyze data from virtually every type of consumer and industrial device on Earth.

Knowing this, we can strive to build policy frameworks that to account for technological changes. We can participate in standards-setting exercises governing IoT data. We can motivate senior leadership in institutions of all types to recognize and support the need to update existing policies, to account for the security, privacy, recordkeeping, and compliance aspects of IoT. We can also be mindful of ethical considerations surrounding personal IoT data, and attempt to address them at an appropriate corporate level. Developing a mature IG framework to account for IoT issues is one practical step to take as we watch the world transform.

To contact the editor responsible for this story: S. Ethan Bowers at

Copyright © 2018 The Bureau of National Affairs, Inc. All Rights Reserved.

Request E-Discovery & Legal Tech News