Why Retailers Should Take Action to Avoid the Next IoT Security Disaster

FTC and the IoT

By Brad Ree, CTO at the ioXt Alliance.

With the burgeoning market of the Internet of Things expected to have 24.1 billion active IoT devices come 2030, the world as we know it will only continue to grow more connected. Through a constant stream of new and innovative products across items like smart speakers, wearables, and connected appliances — consumers have more options for convenience and experience at their fingertips than ever before. But with constant connection comes an exorbitant amount of shared data that has become much more accessible to hackers and malicious actors today. The baseline security measures that may have worked at protecting consumers before aren’t always effective now at preventing these kinds of attacks.

The unfortunate truth is, IoT security is an overlooked necessity for many companies and only brought to mind in instances like data breaches or when hit with legal repercussions. We saw this recently pan out with Canadian smart lock manufacturer, Tapplock, who had to suffer the consequences for its negligence on security measures in April. According to the FTC, Tapplock claimed to have an “unbreakable design” and took “reasonable precautions” to protect personal information but the device actually had several security vulnerabilities including one that created a way to gain access to users’ accounts and bypass account authentication.

Although Tapplock and the FTC had settled this matter, there were several big-box retailers that still had their locks on their shelves after the case. Whether or not these retailers knew about the security mishap, this situation begs an important question around liability for all parties involved, including the channel owner selling the end-products.

Can retailers and partners of the manufacturer also be held liable for distributing and/or selling insecure IoT devices?

Knowing the answer to this question can save the next big-box retailer from packing their shelves with faulty IoT devices and getting caught up in a storm of litigation.

Avoid Being “FTC’d”

Selling defective products is grounds for a class-action lawsuit. Retailers may not know every detail of their supply chain, but not knowing won’t save them from a visit from the FTC. Retailers must do their due diligence to be informed about their suppliers and incoming products. Taking the time to do so can potentially prevent the next IoT security disaster.

Within states such as Connecticut, California, and New York, for instance, retailers can be held liable for selling defective goods under product liability laws and would be brought under charges such as strict liability, negligence, or breach of warranty. Ensuring that security measures are put in place does not only protect retailers, it also protects consumers from having their personal information compromised.

Take Action: The Time is Now

As retailers take necessary action to protect their brand and reputation from being tainted by potential yet avoidable security disasters, there are several steps they can follow:

  • Security Notifications: While it is imperative for IoT device manufacturers to secure the technology from unauthorized access, they may not always follow through with this step. This is an even greater reason for why retailers should request regular security updates from their suppliers and manufacturers. By increasing real-time visibility, they’ll have a much better sense of IoT devices sold and establish further accountability from manufacturers.
  • Vulnerability Disclosures: The FTC has sounded the alarm around IoT security several times in recent years and their efforts to enforce security measures include the implementation of a vulnerability disclosure program. Designed to create an open dialogue between all stakeholders in a product’s supply chain, the vulnerability disclosure program offers a way for participants, such as retailers, to receive the latest security alerts on the products they sell. This enables them to take the necessary steps to quickly remove unsecured products from shelves if a security issue is detected.
  • Collaborating with Industry-Led Organizations: The need for IoT security standards has awakened some organizations within the industry to ramp up security measures. From major tech players, government organizations, and other industry leaders, they are joining forces to empower retailers with transparency and upgradability around current security standards for IoT devices. Partnering with industry-led organizations that push for a universal consensus around security places retailers ahead of the curve and adds competitive value.

Security negligence has a greater impact on stakeholders within the supply chain than most realize. Retailers are at risk for being held liable for selling defective and unsecured products and can ultimately put consumers’ data at risk if not addressed. Security doesn’t have to be an oversight if it is built in from the start and all stakeholders do their due diligence to stay informed on security updates. By taking these proactive measures, it can help save manufacturers and retailers billions of dollars in legal fees, preserve brand reputations, and keep the trust of consumers.

Related posts