The Need for Consolidated IoT Data Management and Archiving

I remember, back in the late 1990s, when I was working at HP, seeing HP Lab’s very early demos of their “Cooltown” project for the first time. The goal of Cooltown was to provide infrastructure for “nomadic computing”, a term the project used for human-oriented mobile and ubiquitous computing. The briefing I received included the concept that every electronic device would be connected to the internet (including a future mobile internet) and would be continually communicating with each other. For those of us able to review the concept, it was mind-blowing. In my mind, this was one of the earliest visions of the Internet of Things (IoT).

Fast forward to 2020 and IoT is now a well-established fact, accelerated by the proliferation and acceptance of cloud computing. The proliferation of next-generation Internet of Things (IoT) devices is beginning to flood the market and open many new use-case possibilities – and business considerations.

IoT use Accelerates

In an article published earlier this year, Business Insider estimated that by 2025, the total number of IoT devices would surpass 64 billion. Research from Fortune Business Insights estimates that the overall market size will reach $1,102 billion by 2026. While the IoT technology stack has advanced dramatically in recent years, the technology and potential use cases are still in the early growth phase.

The adoption of IoT devices by all sectors will provide numerous advantages for companies and industries, including in healthcare, manufacturing, hospitality, transportation, aggro-tech, and finance, as well as many more. But to organizations in the early phases of adoption, it’s still a mixture of technical standards and conflicting opinions. Most, however, agree that it has enormous potential - if the data generated by IoT devices can be captured, managed, and utilized correctly.

Some questions to consider:

1. Will IoT data be uniformly formatted?
2. Will there be hundreds of specific device repositories within an organization (think of the thousands of IoT devices already being utilized in hospitals)?
3. How long should the IoT data be collected and kept?
4. Will regulatory authorities want to create laws around IoT data retention?
5. How will the new privacy laws affect IoT data?
6. Will it be vulnerable to eDiscovery requests?
7. How will the devices and data be secured both at rest and in transit?
8. Will IoT data become a primary target of hackers?
9. Will IoT data become a liability for companies?

All Data is Created Equal in eDiscovery - Specific Issues with IoT Data in Litigation

The first thing to keep in mind: any data can be asked for via eDiscovery request if potentially relevant to the case.  This includes data generated from IoT devices. In fact, there have already been many legal cases that involved IoT data discovery. For example, the discovery of pacemaker data in a murder case, the discovery of smart speaker data, discovery of fitness wearable data, and discovery of biometric device data. As more companies adopt IoT devices throughout their organizations, everyday things such as refrigerators, coffee makers, smart light bulbs could become a focus of discovery.

Like all other forms of corporate data, IoT data does not explicitly need to be retained and managed, (just in case of a future eDiscovery request). However, if an organization with IoT devices can anticipate (reasonably foresee) a future lawsuit, their duty to preserve potentially relevant data (including data from IoT devices) is triggered immediately from that date. This duty to preserve stems from the amended (2015) Federal Rules of Civil Procedure (FRCP) Rule 37(e).

Anticipation: When to Archive, When to Delete IoT Data

There are two distinct topics under the concept of anticipation: when that duty is triggered, and what data is covered under it. The trigger is usually an event such as news stories, other industry lawsuit filings, or even overheard conversations that can go back years. A compelling case, Micron Technology v. Rambus, 2009-1263 (Fed. Cir. May 13, 2011), shows how a lack (or the ignoring) of anticipation can cost you big time. What potential evidence must be preserved is a bit more of a grey area because very early on, the specifics of the case may not be known. Hence GCs from many companies erring on the side of caution and initially over-preserving data. As more of the case becomes known, attorneys will fine-tune what data is required, reducing the data on legal hold.

Many of the current IoT devices have limited capabilities to store the data they generate. Some will transfer data to an individual cloud account.  However, if you have thousands of IoT devices and individual applications, how can your corporate legal team place legal holds in the first place, much less search thousands of cloud accounts? Another question: do these devices reset themselves, or do they overwrite data once their limited storage is full, losing all the data still onboard the device? Wouldn't this amount to a destruction of evidence?

A fascinating question: what percentage of GCs would even think to consider data residing in the many IoT devices propagating the average business? i.e., smart light bulbs, coffee machines, copy machines, printers, security and access controls, climate controls, equipment IoT trackers, Alexa for Business, self-vacuuming Roombas, smartwatches, and smartphones. The point is, soon, there will hundreds or thousands of IoT sensors in an average corporate environment that could be relevant in litigation.  Such devices represent a huge new source of evidence for a plaintiff’s lawyer.

For many attorneys, accessing IoT devices is not considered practical, nor in many cases is there an actual process to capture IoT data into a repository that can easily be accessed and managed. However, based on the already established rule that any data can be asked for via eDiscovery request, enterprise IoT data will begin to appear in eDiscovery requests soon.

Internet of Medical Things Data is a Significant Cyber-Security Concern

A July 2018 Deloitte report on the Internet of Medical Things (IoMT) estimated the IoMT market will be worth $158.1 billion by 2022, up from $41 billion in 2017. Advances in medical technology (medtech), as well as healthcare industry regulatory requirements, are driving the need for IoMT data consolidation and security.

In 2018, there were already thousands of different types of medical devices – a growing number of them considered IoMT devices. These include mobile devices like skin patches, insulin pumps, blood glucose monitors, pacemakers, implantable cardioverter defibrillators, and stationary medical devices such as in-room patient monitors, imaging devices, scanning machines, not to mention doctor’s mobile devices.

Innovations in IoT technology, including wireless technology and small device computing power, are powering a considerable rise in new IoMT devices. Connectivity and communications between independent IoMT devices are transforming modern healthcare, reducing the overall risk of misdiagnosis, and increasing healthcare worker productivity. However, connectivity and the ability for devices to utilize different IoT device formats still have a long way to go. Additionally, many IoMT devices have limited data storage capacity, so without constant management, the possibility of critical data loss still exists. IoMT device data interoperability requirements for unrestricted data use is a huge challenge to realize the potential benefits mentioned above. 

IoMT device and cyber data security is an absolute requirement for hospitals to embrace the IoMT fully. The liability of lost, corrupted, and breached IoMT data will drive litigation costs and regulatory fines to unplanned for levels. Medtech vendors will need to establish real-time device monitoring, real-time cyber-threat modeling, analysis, and threat mitigation.

To alleviate these challenges, hospitals need a centralized Vendor Neutral Archive (VNA) as part of an integrated governance network for capturing, securing, analyzing, and managing all Internet of Medical Things data streams to meet regulatory data retention requirements, security and access control, cost control, and to aid in AI-assisted critical insights and diagnosis. The unobstructed use of IoT across all areas in a hospital (because of common formats and consolidated data storage) can significantly contribute to increased accuracy in patient diagnosis and treatment, without increasing costs.  

IoT Data Security – is Your Company Ready?

IoT devices have become a primary target of cyber-criminals as a way into corporate networks. But what about the security of the actual data generated by IoT devices.? In 2019, IDC estimated that by 2025, IoT devices are expected to create 79.4 zettabytes of data. Corporate IoT data will contain a great deal of sensitive information that companies would rather not leave the enterprise. A large percentage of this data will contain data from video surveillance operations, but additional data types will include data from personnel tracking, security operations, and manufacturing operations.

In 2019, the United States Senate Homeland Security Committee advanced a bill designed to govern the security of the Internet of Things. The "Internet of Things Cybersecurity Improvement Act of 2019" sets baseline cybersecurity standards for IoT devices purchased by the federal government. Sponsor Senator Mark Warner (D-VA) stated:

"This legislation will use the purchasing power of the federal government to establish some minimum security standards for IoT devices."

The Electronic Privacy Information Center (EPIC),  a public interest research center in Washington, DC, recently told Congress that "the IoT network is the weak link in consumer products" and urged the establishment of mandatory privacy and security standards for all IoT products.

Many IoT devices are managed by their own specific applications, for example an iPhone application which wirelessly monitors the temperature of your office. Without a common data format and data consolidation, the management, utilization, and storage of IoT data across the enterprise will be complicated and not yield the results many hope for.

Additionally, the unconsolidated nature of IoT data streams will make it much harder to find and secure sensitive data as well as make it near impossible to run analytics and eDiscovery search/review.

Centralize IoT Data Management and Archiving

The first step in addressing your IoT fragmented data environment is to collect and consolidate all enterprise IoT data (or IoMT data) to be stored in a centralized cloud archive repository for greater security, retention/disposition, legal hold, AI-assisted analysis, and export. In reality, what’s needed is an IoT vendor-neutral cloud-based archive (VNCA).

The second step is to encrypt all archived IoT data, on-premises, before movement to the cloud archive, in such a way as to allow ongoing utilization of the data, i.e., management, analytics, and eDiscovery. One of the few ways to do this is to use homomorphic encryption - an encryption scheme that enables analytical functions to be run directly on encrypted data while keeping the data fully secured. By encrypting the IoT data before storing it in the cloud archive, you maintain full control of the encryption keys, on-premises, instead of letting the cloud vendor create and manage your encryption keys.

IoT data will quickly become a tremendous asset, as well as a huge liability for organizations. Businesses and government agencies will need to treat IoT data as they would their other sensitive data.

To find out how Archive360 can help you address your IoT data archiving needs and how our homomorphic encryption is helping some of the most security-conscious organizations in the world protect and control and the security of their data, click the Contact Us button at the top of the page.