Cybersecurity and the Internet of Things Article reprinted from the May 2016, Volume 13, Number 6 issue of Canadian Law Review

* This article was first published in Canadian Corporate Counsel, a Thomson Reuters Canada publication.

McMillan LLP | Vancouver | Calgary | Toronto | Ottawa | Montréal | Hong Kong | mcmillan.ca Canadian Review May 2016 Volume 13, No. 6

Canadian Privacy Law Review Article reprinted from May 2016, Volume 13, Number 6 issue

• CYBERSECURITY AND THE INTERNET OF THINGS •

Lyndsay Wasser, Co-Chair Cybersecurity, Mitch Koczerginski, Associate, and Rohan Hill, Associate, McMillan LLP © McMillan LLP, Vancouver

Lyndsay Wasser Mitch Koczerginski Rohan Hill

The “Internet of Things”, commonly referred to include wearable technology (e.g., health monitors), as the “IoT”, is a phrase that loosely describes the networked home appliances, IP security cameras, growing body of Internet-connected devices, gadgets, connected vehicles, environmental controls, smart and other items that do not fit the traditional concept watches, and even smart light bulbs. Homes and offices of a “computer”. Examples of IoT device types now frequently have an array of different devices and

47 May 2016 Volume 13, No. 6 Canadian Privacy Law Review device types simultaneously communicating with and similar legislation currently exists in , British exchanging data over the Internet. Columbia and .2 Consumers and developers of IoT technology appear Some may question the application of privacy willing and anxious to add connectivity to almost legislation to IoT technology on the basis that the anything with a logical reason to have it. Whether it abstract information that a particular IoT device involves Internet — enabling an existing class of item collects (e.g., temperature in a house) does not easily or appliance, or developing an entirely new category fit within the concept of “personal” information, of device, it appears that the IoT is ushering in an era which is generally defined as information about an where a traditional computer no longer serves as the identifiable individual.3 However, the Court sole or even primary conduit for our interaction with of Appeal has found that “personal information” the Internet. has an elastic definition and should be interpreted Many commentators, as well as regulators in accordingly.4 Further, by its nature, the IoT involves Canada, the United States and Europe, have noted that connectivity of a number of devices that each the IoT presents a number of challenges and concerns collects different types of information. When such from a privacy law perspective. For example, the lack information is combined, it can present a detailed of user interface on many IoT devices, and automatic profile of an individual’s lifestyle, habits, health, interaction between connected devices that is often etc., which would undoubtedly qualify as personal invisible to users, makes it difficult to meet legal information. The Federal Privacy Commissioner consent requirements. However, a thorough analysis recently observed that in the context of the IoT, of the privacy implications of the IoT is outside the “it is not enough to look at specific pieces of data in scope of this paper. isolation, but rather one must also look at what the From a cybersecurity perspective, the IoT presents data can reveal.”5 a number of unique considerations, challenges and From a cybersecurity perspective, the most risks. This paper examines these issues in the context relevant statutory obligations applicable to IoT, under of the Canadian legal framework applicable to private PIPEDA, are as follows: sector organizations. • Personal information must be protected by security safeguards appropriate to the sensitivity LEGAL OBLIGATIONS AND LIABILITY of the information.6 The Personal Information Protection and Electronic • Security safeguards must protect personal Documents Act (“PIPEDA”)1 governs protection of information against loss or theft, as well as personal information in the course of commercial unauthorized access, disclosure, copying, use, or activities in all jurisdictions that do not have modification, regardless of the format in which it 7 substantially similar legislation, as well as protection is held. of personal information related to employees of • The nature of the safeguards will vary depending federally-regulated organizations. Substantially on the sensitivity of the information that has been

ELECTRONIC VERSION AVAILABLE A PDF version of your print subscription is available for an additional charge.

A PDF file of each issue will be e-mailed directly to you 12 times per year, for internal distribution only.

48 Canadian Privacy Law Review May 2016 Volume 13, No. 6

collected, the amount, distribution, and format of while interacting with a cloud-based service provider, the information, and the method of storage. More or a 3rd party application, or another IoT device? sensitive information should be safeguarded by a It may not be practical for a developer to higher level of protection.8 comprehensively test all possible IoT device • The methods of protection should include interactions for compatibility issues. Where an IoT (a) physical measures; (b) organizational measures; device causes harm on the basis of decisions or and (c) technological measures.9 actions that were made or coordinated with other • An organization continues to be responsible for IoT devices, there may be challenges in determining personal information it handles, even where that questions of liability. Determining fault for incorrect information has been transferred to a third party dosing from a medication pump is more complex for storage or processing, and contractual or other if the device makes decisions about dosage by first means must be used to ensure that comparable communicating with other connected devices to levels of protection exist while the information is obtain health and environmental data. Determining being processed by the third party.10 fault for a traffic accident may be complicated by the fact that a connected vehicle reacts to communication In addition, when recent amendments to PIPEDA from, for example, other connected vehicles, devices come into force, organizations will be obliged to carried by pedestrians, or networked sensors. maintain a record of any breach of security safeguards11 Existing negligence, product liability and privacy involving personal information under their control, laws may provide some guidance, but several issues and notify the Office of the Privacy Commissioner of will require novel consideration by the courts. Given the Canada and affected individuals of such a breach if rise in privacy and data breach litigation in Canada, and it is reasonable to believe that it poses a “real risk of the unsettled state of the law, it is likely that plaintiffs’ significant harm”12 to the affected individuals. lawyers will cast their nets widely when searching for As discussed in more detail below, these legal liability for damages caused by IoT devices. obligations present unique issues and challenges when applied to the IoT. Indeed, the Federal Privacy Commissioner has even questioned whether Canada’s ENHANCED RISKS IN A CONNECTED WORLD privacy law framework is presently compatible with the The legal obligations described above raise a number 13 IoT. For example, the Commissioner acknowledged of unique considerations for IoT, including: the perception that the consent requirements and • Heightened risk of harm; concept of personal information are outdated and • Increased sensitivity of personal information; overly simplistic in the IoT context.14 • More vulnerabilities and difficulty of patching; and In addition to these statutory obligations, as • Vulnerabilities created by third parties. discussed in our earlier article, “Cybersecurity – The Legal Landscape in Canada”, privacy and data Each of these issues is addressed in more detail breaches have given rise to a large number of class below. action lawsuits in recent years, and the common law in this area continues to evolve. Heightened Risk of Harm In this regard, interesting questions arise regarding attribution of liability when an IoT device is As indicated above, organizations are required to involved. For example, when damages result from implement security safeguards to protect the personal the functioning (or malfunctioning) of an IoT device, information that they collect, use, store and disclose. who is ultimately liable? Is the device’s owner The importance of such safeguards is amplified by the responsible? The manufacturer? What if a device fails increase in adoption of IoT devices, the increase in

49 May 2016 Volume 13, No. 6 Canadian Privacy Law Review variety of device functions, and the related increase in render such information more sensitive.15 The IoT responsibility that is being entrusted to such devices. allows personal information to be collected from a Early IoT devices may have handled relatively number of different devices, and the complete picture non-critical tasks, but as the pervasiveness of of an individual’s life that can be gleaned from the IoT technology has grown, these devices have aggregation of such data could reveal a more intimate increasingly been charged with more significant picture of the individual than he or she ever intended tasks, from tracking an individual’s health, to piloting to make known. This has both privacy and security vehicles, and even monitoring the security and safety implications, including potentially increasing the of property and infrastructure. While the evolution risks of . in IoT device capability promises many benefits to Security measures for IoT devices will need to take consumers and businesses, the greater responsibility into account the enhanced sensitivity of vast amounts and power delegated to IoT devices also creates a of real-time information collected in a connected world. greater risk of negative privacy implications, injury, or property damage, if IoT devices fail, mishandle More Vulnerabilities and Difficulty of Patching personal information or operate in an undesirable manner. A fitness tracker that fails to accurately Any device that connects to the Internet can potentially record a user’s daily step count may not trigger dire be compromised by malicious actors. Therefore, consequences, but a medical device that administers as the IoT becomes more prevalent, the number of the wrong amount of insulin, an autonomous vehicle vulnerabilities that can be exploited by the pool of that malfunctions and causes an accident, or an increasingly sophisticated malicious actors will also e-wallet that inadvertently discloses an individual’s continue to grow. banking information and transaction history, could Of particular concern is that IoT devices are often have serious implications. designed by less experienced product developers, many This heightened risk of harm suggests that more of whom are not focusing upon security considerations. stringent security safeguards will be required for many The rapid growth of interest in connected devices has IoT devices, in order for such devices to comply with attracted a great deal of attention to the IoT space, and legal obligations. Additional implications may arise various start-ups and crowd funding initiatives have when the new breach reporting requirements come formed for the purpose of creating single, freshman into force under PIPEDA. product offerings. While this may be seen as positive in terms of the health of the IoT industry, the degree of security expertise behind an IoT device may vary Increased Sensitivity of Personal Information significantly depending on its origin and the team Organizations must also be aware that PIPEDA behind it. requires the application of more stringent security In fact, in its recent report, “The Internet of Things. safeguards to protect personal information that is of An introduction to privacy issues with a focus on a sensitive nature. the retail and home environments”, the Office of Some of the information that is collected by IoT the Privacy Commissioner of Canada cited research devices is inherently sensitive, such as information findings indicating that approximately 70% of IoT about sleeping patterns, credit card information, or devices have vulnerabilities that could be exploited.16 health and fitness data. In addition, even data that Such vulnerabilities included: “... 80% of devices, may seem non-sensitive in isolation may be rendered including cloud and mobile apps, failed to require sensitive when combined with other sensitive or strong passwords, 70% of devices did not encrypt non-sensitive information. Past cases indicate that communications, 60% lacked encryption for software collecting a vast amount of personal information can updates and another 60% had insecure web interfaces.”17

50 Canadian Privacy Law Review May 2016 Volume 13, No. 6

Another security challenge arises with respect to the short deployed lifespan thanks to Moore’s law and the provision of software updates that may be necessary to fast obsolescence of traditional computer hardware, maintain and strengthen the security of an IoT device IoT devices that are integrated into homes, vehicles, over time. While it is important for developers to ensure or businesses, may be deployed for comparatively that a device continues to remain secure, their ability long periods of time before replacement. In other to access the device to install software updates may be words, although many people may replace their laptop limited in the IoT context. Canada’s Anti-Spam Law computer every few years, very few people are in the (“CASL”)18 contains provisions governing software habit of regularly replacing their deadbolts. installation in the course of commercial activities. These provisions prohibit the installation of computer Vulnerabilities Created by Third Parties programs on another person’s computer system without express consent. Given that an IoT device often does While the integration of IoT devices into day-to-day not contain an interface that allows communication life offers exciting benefits, reliance on this technology between a device and the owner, developers must also requires placing a tremendous amount of trust in consider alternative ways to obtain express consent for both the device’s embedded cybersecurity systems the installation of software updates. and the security safeguards of devices developed by A lack of frequent updating is particularly third parties with which they interact. IoT devices problematic in the IoT context given the combination often interact with third-party and cloud service of (A) the high degree of responsibility that is providers, and are increasingly interacting with each increasingly entrusted to IoT devices, (B) the fact that other. When multiple devices are connected, there is these devices often have “always-on” IP connections a risk that a weak link in any of them can be exploited to the Internet, and (C) the reality that there is a to compromise them all. significant group of individuals and organizations Furthermore, while loss of privacy, injury or property tirelessly searching for exploits and vulnerabilities in damage may result solely from the failure of an IoT any systems they can access on the Internet. device, in other cases it may result from a combination of While users are largely accustomed to updating IoT device vulnerabilities and the intentional malicious their computer or smartphone OS, it remains to be exploitation by a third party. In 2015, various media seen how amenable individuals will be to adopting reported on demonstrations conducted by attackers who a similar practice for connected light bulbs, coffee were purportedly able to disable brakes and interfere makers, thermostats, deadbolts, fitness monitors, and with steering on Internet connected vehicles.19 Other other IoT devices. Some IoT devices may even lack media have reported on security experts being able to practical security update and patching mechanisms, hack into a secured wireless network through “smart” may lack interfaces as discussed above, or may light bulbs.20 While there has been debate about the ultimately be abandoned by their original developers practicality of specific exploits, it is reasonable to expect (e.g., because they are too expensive to maintain or that an expanding base of Internet integrated devices because a start-up business fails and the developer will attract an expanding base of individuals looking to is no longer operating). The lack of an interface also exploit those systems for nefarious purposes. creates a risk that security credentials on IoT devices In a recent statement to the United States Senate will be less frequently changed from their defaults. Armed Services Committee, James Clapper, the US Since IoT devices will often use customized software director of national intelligence, advised that in the or firmware, if the developer is not diligent in issuing future, intelligence services might utilize IoT devices updates, the user may be unable to correct security for identification, , monitoring, location deficiencies. This challenge is exacerbated by the fact tracking, recruitment targeting and gaining access to that while a computer OS will often have a relatively networks or user credentials.21

51 May 2016 Volume 13, No. 6 Canadian Privacy Law Review

While less dramatic than the examples above, also be well-advised to conduct a privacy impact malicious attackers may also utilize vulnerabilities assessment to consider the privacy implications of in IoT devices as vectors for network intrusion to their product(s) and ways to reduce privacy-related either gain benefit from access to the network itself risks. In particular, some privacy principles intersect or to leverage the network or an IoT device’s Internet with cybersecurity considerations. For example, connection as a tool for launching other disruptive the data minimization principle can be applied to activities such as distributed denial of service reduce risk. If an organization limits its collection (“DDoS”) attacks, or the distribution of spam. of personal information to only what it needs in the Organizations entering the IoT space should circumstances, and disposes of such information understand the vulnerabilities at play and consider (securely) once it is no longer required, this will how they can reduce associated risks. minimize the amount of information that is available to malicious actors in the event of a data breach. REDUCING THE RISKS Building security and privacy into the design of IoT products from the outset can improve functionality Given the legal obligations, risks, and uncertainty of and decrease costs, as well as maximizing compliance liability described above, organizations should seriously with legal requirements. consider the cybersecurity implications of the IoT. Organizations that are considering integrating IoT In particular, organizations that are developing IoT devices into their business should ensure that they: devices should consider cybersecurity issues from • Understand potential security implications, the outset, and build security into the design and including by conducting a security risk assessment development of the product, including by: or threat impact assessment; • Conducting a security risk assessment or threat • Take steps to reduce and mitigate risks, such as impact assessment early in the process; isolating IoT devices from systems containing • Evaluating applicable legal requirements and highly confidential or sensitive information, restrictions, such as those set out in PIPEDA where appropriate; and CASL (e.g., CASL requirements applicable • Make inquiries of product developers and to updates as well as specific notice and consent distributors, to ensure security has been built into requirements under CASL when a program causes the design of the products and appropriate patches a computer system to communicate with another and updates will be available, as necessary, and computer system); obtain contractual commitments to the foregoing, • Considering how the device will interact where possible; with other IoT devices, and options to reduce • Ensure that auditing and analytical tools are in associated risks; place to monitor for breaches of IoT devices, and • Testing security measures before products are that known vulnerabilities are patched in a timely launched; manner; • Considering how patches and updates will • Consider impact on bandwidth, as this can affect handled; and business continuity; • Taking steps to confirm/ensure that any partners • Conduct a privacy impact assessment, and and services providers are appropriately addressing also review privacy policies and procedures to security issues and legal requirements, including determine if updates will be required. implementing appropriate contractual arrangements. The measures described above are not intended Although privacy implications of the IoT are to be all-inclusive, but provide a good starting point outside the scope of this article, developers would when considering the cybersecurity implications of

52 Canadian Privacy Law Review May 2016 Volume 13, No. 6 the IoT. In its recent staff report, “Internet of Things: cybersecurity issues, including advising on access Privacy & Security in a Connected World”, the Federal requests, legal requirements related to , Trade Commission provides additional guidance on privacy breaches, issues, handling steps that organizations can take to address privacy personal health information, CASL compliance, and and security issues related to the IoT.22 transferring personal information across borders, as well as helping organizations to develop privacy Conclusion compliance programs, privacy and social media While some of the risks discussed above are not policies, data sharing agreements and consent forms. strictly unique to the IoT, many are exacerbated by Lyndsay regularly writes and speaks on privacy- the nature of IoT technology and the recent dramatic related topics, and is the co-author of Privacy in the rd influx of participants into the IoT device space. Workplace, 3 ed. and the Privacy chapter in the By their nature, IoT devices are often deployed Ultimate Corporate Counsel Guide. in a diverse range of physical environments. It may Mitch Koczerginski is an Associate in the not be possible for product developers to anticipate Litigation and Dispute Resolution group in the firm’s or comprehensively test IoT devices across all Toronto office. He is developing a broad practice in potential operating environments. Similarly, the “soft commercial litigation, privacy and data security law. environment” may be equally difficult to completely Mitch has acted on appeals before the Information anticipate and test for incompatibilities, as IoT devices and Privacy Commissioner of Ontario with respect may ultimately end up interacting with applications, to freedom of information requests. He has also cloud service providers, and other IoT devices in a written on various issues at the cross section of manner that the designers did not anticipate. privacy law and technology. While at law school, The IoT space offers unprecedented connectivity. Mitch earned a designation in law and technology However, the significant trust afforded to these devices from University of Ottawa and completed an also introduces an unprecedented vulnerability to externship with the Canadian Internet Policy and various harms in the event of technical device failures Public Interest Clinic. or mishandling of personal information. This article has Rohan Hill is a lawyer in McMillan’s Vancouver explored some of the risks associated with the operation office. Rohan is a member of the firm’s Advocacy of IoT technology and certain requirements pertaining to and Litigation group and has experience in a broad the security of personal information generated by these range of areas, including internet and technology, devices. In the flurry to develop devices that operate in defamation, environmental regulation, administrative this space, developers ought to conduct an analysis of law, commercial disputes, cybersecurity, and surrounding vulnerabilities and applicable obligations. cryptocurrency. Rohan has a strong interest in new In addition, it is important for organizations to carefully and emerging technology.] consider the implications of deploying these devices in connection with their businesses. 1 Personal Information Protection and Electronic This article was first published in Canadian Documents Act, S.C. 2000, c. 5. Corporate Counsel, a Thomson Reuters Canada 2 Ontario’s health sector privacy legislation has also publication. been declared substantially similar to PIPEDA, but [Lyndsay Wasser is the Co-Chair of McMillan’s most of the restrictions and requirements only apply to Privacy & Data Protection Group and its health information custodians. Cybersecurity Group. She is a Certified Information 3 Barbara McIssac, Kris Klein, Rick Shields, The Law Of Privacy Professional/Canada, and regularly advises Privacy In Canada, (Toronto: Thomson Carswell, 2012) and assists clients on a broad range of privacy and at 4.1-1.

53 May 2016 Volume 13, No. 6 Canadian Privacy Law Review

4 Citi Cards Canada Inc. v. Pleasance, [2011] O.J. 14 See https://www.priv.gc.ca/information/research- No. 15, 2011 ONCA 3, 103 O.R. (3d) 241. recherche/2016/iot_201602_e.asp. 5 See https://www.priv.gc.ca/information/research- 15 See PIPEDA Report of Findings #2015-001. recherche/2016/iot_201602_e.asp. 16 See https://www.priv.gc.ca/information/research- 6 Personal Information Protection and Electronic recherche/2016/iot_201602_e.asp. Documents Act, S.C. 2000, c. 5, Schedule 1, Article 4.7. 17 See https://www.priv.gc.ca/information/research- 7 Ibid., Article 4.7.1. recherche/2016/iot_201602_e.asp. 8 Ibid., Article 4.7.2. 18 An Act to promote the efficiency and adaptability of 9 Ibid., Article 4.7.3. the Canadian economy by regulating certain activities 10 Ibid., Article 4.1.3. that discourage reliance on electronic means of 11 “Breach of security safeguards” means “the loss of, carrying out commercial activities, and to amend the unauthorized access to or unauthorized disclosure of Canadian Radio-television and Telecommunications personal information resulting from a breach of an Commission Act, the Competition Act, the Personal organization’s security safeguards that are referred to Information Protection and Electronic Documents Act in clause 4.7 of Schedule 1 or from failure to establish and the Telecommunications Act, S.C. 2010, c. 23. those safeguards”. Personal Information Protection 19 See http://www.wired.com/2015/07/hackers-remotely- and Electronic Documents Act, S.C. 2000, c. 5, s. 2(1). kill-jeep-highway/. 12 Defined to include “bodily harm, humiliation, damage 20 See http://www.computerweekly.com/news/2240224012/ to reputation or relationships, loss of employment, IoT-smart-light-bulbs-get-security-update. business or professional opportunities, financial loss, 21 See http://www.armed-services.senate.gov/imo/media/ identity theft, negative effects on the credit record and doc/Clapper_02-09-16.pdf. damage to or loss of property”. Digital , 22 See https://www.ftc.gov/system/files/documents/ S.C. 2015, c. 32, s. 10.1(7). reports/federal-trade-commission-staff-report- 13 See https://www.priv.gc.ca/information/research- november-2013-workshop-entitled-internet-things- recherche/2016/iot_201602_e.asp. privacy/150127iotrpt.pdf.

54 About us McMillan is a business law firm serving public, private and not-for-profit clients across key industries in Canada, the United States and internationally. With recognized expertise and acknowledged leadership in major business sectors, we provide solutions-oriented legal advice through our offices in Vancouver, Calgary, Toronto, Ottawa, Montréal and Hong Kong. Our firm values – respect, teamwork, commitment, client service and professional excellence – are at the heart of McMillan’s commitment to serve our clients, our local communities and the legal profession. Contacts Frank Palmay, P.Eng. Co-Chair, Financial Services Regulatory and Cybersecurity Toronto 416.307.4037 [email protected]

Lyndsay A. Wasser Co-Chair, Privacy & Data Protection Co-Chair, Cybersecurity Toronto 416.865.7083 [email protected]

© Copyright 2016 McMillan LLP

McMillan LLP l Vancouver l Calgary l Toronto l Ottawa l Montréal l Hong Kong l mcmillan.ca