Internet of Things: companies must get privacy and security right, warns PwC data protection partner

Companies working on products and services intended to take advantage of the Internet of Things (IoT) must get privacy and security right - or risk an erosion of trust that will be potentially damaging to the development of the market.

That is the warning of Stewart Room, head of PwC legal's cyber security and data protection practice.

"The big issue is how well we respect customer wishes regarding the use of their identity, and how well we ensure that this is respected over time. That's the key challenge," said Room, who was speaking at a roundtable event jointly hosted by PwC and open-source identity management software company ForgeRock.

"If any business gets this wrong, what they are running towards is a serious trust, confidence and legal crisis. It's really important that we [the wider IT industry] tackle this; that we see the need for a 'joining up' of skills - it's not a tech solution, a consultant solution or legal solution. It's how businesses interact with customers, understand their needs and come up with solutions that satisfy their needs," said Room.

Already, he added, PwC's legal practice has advised a number of companies over their legal obligations with regard to IoT devices - and those obligations are set to expand, particularly in Europe with the imminent introduction of the European Union Data Protection Regulations.

One particular area, he said, was in the energy sector with smart metering, which is being rolled out in the UK and globally, as well as connected thermostats, which enable home heating systems to be controlled remotely.

"What you are getting is pre-event analysis - privacy by design. Then you've got the agile businesses coming up with new ideas, which understand that privacy is a legal issue, but doesn't understand what that means in terms of potential impact on the business... the third is the entity that hasn't even thought about it, which will come unstuck," said Room.

Last year, a report by HP-Fortify found that an alarming number of connected devices were riddled with basic security errors, such as weak passwords, unencrypted network services, insecure interfaces and cross-site scripting risks.

Furthermore, warned Room, the legal environment is moving towards making device makers responsible for the security flaws in their products - especially when they are as glaring as some of the shortcomings highlighted in the HP-Fortify report.