Wearable Devices: Will They Face Regulatory Scrutiny?

As it continues to ramp up its cybersecurity enforcement efforts, the Federal Trade Commission could take action next year against the makers of consumer wearable devices if they fail to live up to their promises to protect the privacy of health data and other information, says security researcher Stephen Cobb.

The FTC "looks for opportunities to enforce its advice," says Cobb of the security firm ESET. "We saw that in the early days of privacy policies on websites, and I think we're going to see that in the case of wearables or Internet of Things devices where there's a clear-cut case of a company promising to protect information, or take privacy seriously, and then failing to follow through with that promise - [prompting] the FTC moving against them with one of their actions."

Over the last 15 years, the FTC has launched more than 50 cases against companies for security-related issues, he notes in an interview with Information Security Media Group. On Dec. 17, the FTC announced a record $100 million settlement with Lifelock in a case that, in part, stemmed from the identity protection company failing to establish and maintain an information security program to protect customers' personally identifiable information (see LifeLock Settles FTC Case for $100 Million).

"The FTC sees itself as the champion of consumer data privacy and data security," he says.

Potential FDA Actions

In the meantime, the Food and Drug Administration also could take a close look at the security of wearable devices that collect health data, he predicts. "The FDA is looking at to what extent does a wearable device become a medical device. And certainly in the medical device area, there are rules and regulations about security, and the potential to challenge devices or companies if they are not taking security seriously."

Like the FTC, the FDA has been intensifying its attention on medical device cybersecurity. In August, for example, it issued a warning urging healthcare organizations to discontinue the use of a family of medical devices from manufacturer Hospira due to safety concerns related to cybersecurity issues (see FDA: Discontinue Use of Flawed Infusion Pumps).

In the interview, Cobb also discusses:

The precautions that healthcare organizations and operators of workforce wellness programs should consider when patients and employees share their health-related data from wearable devices; What makers of consumer wearable devices should be doing to improve the data privacy and security of these products; What consumers using wearable devices can do to better protect their privacy.

Cobb, senior security researcher at ESET, has been specializing in information assurance and data privacy for more than 20 years, advising government agencies and some of the world's largest companies on information security strategy. He currently leads a team of researchers at the North American headquarters of ESET. Cobb has written a book on data privacy and contributed numerous chapters to information security textbooks.