Cybersecurity And The Internet of Things

The "Internet of Things", commonly referred to as the "IoT", is a phrase that loosely describes the growing body of Internet-connected devices, gadgets, and other items that do not fit the traditional concept of a "computer". Examples of IoT device types include wearable technology (e.g., health monitors), networked home appliances, IP security cameras, connected vehicles, environmental controls, smart watches, and even smart light bulbs. Homes and offices now frequently have an array of different devices and device types simultaneously communicating with and exchanging data over the Internet.

Consumers and developers of IoT technology appear willing and anxious to add connectivity to almost anything with a logical reason to have it. Whether it involves Internet-enabling an existing class of item or appliance, or developing an entirely new category of device, it appears that the IoT is ushering in an era where a traditional computer no longer serves as the sole or even primary conduit for our interaction with the Internet.

Many commentators, as well as regulators in Canada, United States and Europe, have noted that the IoT presents a number of challenges and concerns from a privacy law perspective. For example, the lack of user interface on many IoT devices, and automatic interaction between connected devices that is often invisible to users, makes it difficult to meet legal consent requirements. However, a thorough analysis of the privacy implications of the IoT is outside the scope of this paper.

From a cybersecurity perspective, the IoT presents a number of unique considerations, challenges and risks. This paper examines these issues in the context of the Canadian legal framework applicable to private sector organizations.

Legal Obligations and Liability

The Personal Information Protection and Electronic Documents Act ("PIPEDA")1 governs protection of personal information in the course of commercial activities in all jurisdictions that do not have substantially similar legislation, as well as protection of personal information related to employees of federally-regulated organizations. Substantially similar legislation currently exists in Alberta, British Columbia and Quebec.2

Some may question the application of privacy legislation to IoT technology on the basis that the abstract information that a particular IoT device collects (e.g., temperature in a house) does not easily fit within the concept of "personal" information, which is generally defined as information about an identifiable individual.3 However, the Ontario Court of Appeal has found that "personal information" has an elastic definition and should be interpreted accordingly.4 Further, by its nature, the IoT involves connectivity of a number of devices that each collects different types of information. When such information is combined, it can present a detailed profile of an individual's lifestyle, habits, health, etc., which would undoubtedly qualify as personal information.5

The Federal Privacy Commissioner recently observed that in the context of the IoT, "it is not enough to look at specific pieces of data in isolation, but rather one must also look at what the data can reveal."

From a cybersecurity perspective, the most relevant statutory obligations applicable to IoT, under PIPEDA, are as follows:

Personal information must be protected by security safeguards appropriate to the sensitivity of the information.6 Security safeguards must protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification, regardless of the format in which it is held.7 The nature of the safeguards will vary depending on the sensitivity of the information that has been collected, the amount, distribution, and format of the information, and the method of storage. More sensitive information should be safeguarded by a higher level of protection.8 The methods of protection should include (a) physical measures; (b) organizational measures; and (c) technological measures.9 An organization continues to be responsible for personal information it handles, even where that information has been transferred to a third party for storage or processing, and contractual or other means must be used to ensure that comparable levels of protection exist while the information is being processed by the third party.10 In addition, when recent amendments to PIPEDA come into force, organizations will be obliged to maintain a record of any breach of security safeguards11 involving personal information under their control, and notify the Office of the Privacy Commissioner of Canada and affected individuals of such a breach if it is reasonable to believe that it poses a "real risk of significant harm"12 to the affected individuals.

As discussed in more detail below, these legal obligations present unique issues and challenges when applied to the IoT. Indeed, the Federal Privacy Commissioner has even questioned whether Canada's privacy law framework is presently compatible with the IoT.13 For example, the Commissioner acknowledged the perception that the consent requirements and concept of personal information are outdated and overly simplistic in the IoT context.14

In addition to these...