FTC Shares Best Practices for Businesses To Protect Health Data
January 27, 2015 in News
On Tuesday, the Federal Trade Commission released a report highlighting the public health benefits of devices that can transmit health data to the Internet, as well as the security and privacy risks that could come along with such technologies and undermine U.S. residents’ trust, the New York Times‘ “Bits” reports (Singer, “Bits,” New York Times, 1/27).
The report was based on:
- Feedback from academic professionals, consumer advocates, industry representatives, technologists and others who attended the FTC’s Internet of Things workshop in November 2013; and
- Public comments that FTC received on the subject (FTC release, 1/27).
In a statement, FTC Chair Edith Ramirez said that the report includes best practices that businesses can use to “be better able to provide consumers the protections they want.”
The report recommended that companies:
- Consider limiting the amount of data devices can collect from consumers and the amount of time devices retain such data;
- Ensure their contractors can maintain security for the device systems;
- Examine practices that could help keep unauthorized individuals from accessing consumers’ data or devices; and
- Institute security measures during their development process for devices and sensors that connect to the Internet instead of including the measures post-development (“Bits,” New York Times, 1/27).
In addition, the report recommended that businesses:
- Consider defensive strategies that include multiple security layers to combat specific risks when they are identified;
- Monitor Internet-connected devices throughout their anticipated life cycles and provide security patches to defend against identified risks as necessary;
- Notify consumers about how their personal data will be used and give them choices on how the information will be used; and
- Train their employees on the “importance of security” and make sure security efforts are “managed at an appropriate level in the organization” (FTC release, 1/27).