The document discusses mobile devices and the Internet of Things (IoT). It provides examples of IoT applications like smart homes, connected cars, smart buildings, and addressable medical devices. It notes both the promise and challenges of IoT regarding privacy and security. The document outlines a framework for analyzing IoT privacy sensitivity based on the level of direct action, decision making, and information sharing involved. It provides tips for successful IoT development, including mapping information flows, understanding rights and obligations, employing data minimization, conducting privacy and security assessments, and avoiding being "creepy." Resources on IoT privacy and security from organizations like the FTC, FDA, and EU are also cited.

1. Mobile Devices and Internet of Things
Benchmark Litigation Data Security & Privacy Forum
- February 11, 2016

2. 2
Contents
1. IoT – What Are We Talking About
2. IoT – Examples and Framework for Privacy Analysis
3. Top 10 Practitioner Tips for Successful Development and Roll-
Out of IoT
4. A Few Resources

3. 3Introductions
James H. Koenig (Moderator)
Privacy and Cybersecurity Practice and IoT Practice
Paul Hastings LLP+1.610.246.4426
jimkoenig@paulhastings.com
Debra Bromson
Head of Global Privacy and Sr. Compliance Counsel
Jazz Pharmaceuticals
Seth Blinder
Senior Counsel
Privacy & Data Protection
MasterCard

4. Section 3. Overview of a Proposed Assessment for Pfizer
IoT – What Are We Talking About,
Examples and Framework for Privacy Analysis

5. 5
IoT – What Are We Talking About
FTC Definition.
“The Internet of Things (“IoT”) refers to the ability of everyday
objects to connect to the Internet and to send and receive
data.”
Promise and Challenge.
IoT technologies have great promise for allowing certain
functions to be triggered by passive monitoring criteria. Need
to balance convenience with privacy and security.
Internet of Things by the Numbers:
• 25 billion connected devices worldwide (FTC 2/15)
• Gartner Estimated (2015):
• 2.9 billion connected devices in just the consumer sector
• 5 billion devices total
• 25 billion by 2020

6. 6
IoT – Examples and Framework for Privacy Analysis
IoT Examples: Privacy and Security by Design - Essential for IoT Success.
 Smart Home. When you near your home, the garage door opens and the lights and heat turn on to your
preferred setting. While convenient and cost-efficient for the homeowner, if access to this technology
were to fall into the wrong hands it could notify a burglar in real-time when you are home and, from
monitoring your history, could reliably predict your typical routine.
 Connected Cars. While autonomous-driving cars promise increased efficiencies in traffic and fewer
collisions, if privacy and security are not properly built in by design, the control of such a vehicle could be
commandeered by a hacker, possibly jeopardizing the personal safety and security of the passengers.
 Smart Buildings/Cities. By monitoring when people are in offices and the surrounding sun and weather
conditions, smart building and security technologies are already creating energy heating and cooling
cost savings. Yet, if proper safeguards are not implemented, such technologies may unintentionally
capture private, personal images (e.g., pictures of individuals who are having a relationship and wanted
to be private and alone).
 Addressable Medical Devices. While internet-based glucose pumps and heart pacemakers have
helped patients better monitor and manage conditions, if proper cybersecurity assessments are not
conducted as required by the FDA, a medical device could be weaponized by a hacker and put the
patient’s health and safety at risk.
IoT Privacy Sensitivity Framework (Used in Automotive, Health & Telecomm)
• Level 1 – Direct Action/Reaction (IoT to replace a human action, like turn a light off)
• Level 2 – Delegates Decision-Making and/or Involves Machine Learning (“Drive
me to X” (or takes actions based on your learned routine or preferences))
• Level 3 – Information Sharing and Device to Device Communications
(can be platform-to-platform or network-to-network curated sharing decisions)

7. Section 3. Overview of a Proposed Assessment for Pfizer
Top 10 Practitioner Tips for
Successful Development and Roll-Out of IoT

8. 8Top 10 Practitioner Tips for IoT Success
• Tip: Map the personally identifiable information flows and
uses (common now), but also map other information that
could be used in analytics or otherwise combined to identify
a person (e.g., location/GPS, vital signs). [Debbie]
1. Map, Map, Map
• Tip: In IoT, information is collected and pulled in many more
directions than before and involves more parties. Mapping
now must also track the rights and obligations of each
involved party. [Seth]
2. Understand the Right and Obligations

9. ©2015 MasterCard. Proprietary and Confidential.
In-House – A Global Privacy Analysis
• Global patchwork of privacy laws + globalized business =
challenge
12 April 20169
• How does this come up?
• Most projects are multijurisdictional
• MasterPass – Product Development and
Expansion
• Simplify Commerce – Product Development and
Expansion
• MasterCard Datacash – Acquired UK payment
processing business

10. ©2015 MasterCard. Proprietary and Confidential.
In-House – A Global Privacy Analysis
• Goal is always to understand the rights and obligations that attach to data at
point of collection and throughout lifecycle
• First, what is the business matter at hand?
– What are we doing (and where)?
– What is our role in the ecosystem?
– Who are we working with?
• Then, how does data layer in?
– Country of collection / data subject
– Entity/mechanism of collection
– Notice & consent mechanics
– Cross-border transfers
– Type of data elements collected and processed
– Nature of processing (primary and secondary uses)
– Sharing with third parties / participants in an ecosystem
12 April 201610

11. ©2015 MasterCard. Proprietary and Confidential.
In-House – A Global Privacy Analysis
• Result of that analysis drives
– Product design
– Contract terms
– Security protocol
– Risk allocation and determination
• Analysis applies to all situations
– Acquisitions and investments
– Product development and expansion
– Contracting with customers and vendors
– Incident response
12 April 201611

12. 12Top 10 Practitioner Tips for IoT Success
• Tip: In IoT, information is collected and pulled in many more
directions than before and involves more parties. Mapping
now must also track the rights and obligations of each
involved party. [Seth]
3. Privacy Notice Maybe Dead (or Morphing)
– How to Address in IoT
• Tip: New Technology needs new model to succeed.
Consider model for agency over permissions. [Jim]
4. Sharing and Notice

13. ©2015 MasterCard.
Proprietary and Confidential
April 12, 2016
Data Minimization
• Only collect the data necessary for
purposes at hand, not additional
Security
• Data should be protected by
reasonable security safeguards
Openness
• Provide transparency
• Data subject has rights to know
what is being done with their data
• Avoid surprises
Notice
• Explain what data is being
collected
• Who it will be shared with
• What is being done to it
Consent
• Informed, voluntary,
current and specific
• Revocable (opt-outs)
Use Limitation
• Only use, share, disclose
data with consent of data
subject
• No secondary uses
Fair Information Privacy Principles

14. 14Top 10 Practitioner Tips for IoT Success
• Tip: Employ data minimization and creativity for security
(e.g., keep information on the device, not networked).
[Debbie]
5. Know Where Your Data Is
• Tip: Work with engineers and set up escalation process for
sensitive activities. [Seth]
6. Privacy and Security By Design

15. 15Top 10 Practitioner Tips for IoT Success
• Tip: For IoT security assessments, this is different than
historical, controls security assessments as the threat
surface and potential areas for vulnerabilities expands.
[Debbie]
7. Conduct a Cybersecurity and Threat
Assessment
• Tip: Privacy Impact Assessments (take many forms) are key
to identify potential repercussions of secondary and
unintended uses and consequences. [Jim]
8. Conduct a Privacy Impact Assessment

16. 16Top 10 Practitioner Tips for IoT Success
• Tip: IoT often involves data processed, stored or analyzed in
the cloud. Be alert when data flows into many jurisdictions
outside of the US. [Seth]
9. Jurisdictions
• Tip: Avoid being creepy! [Jim, Debbie and Seth]
10. Business Judgment

17. Section 3. Overview of a Proposed Assessment for Pfizer
A Few Resources

18. 18A Few Resources
Favorites Resources. Among the many resources available, below are a few key resources:
i. FTC – Internet of Things – Privacy and Security in a Connected World, FTC
Report on the Internet of Things (IoT) 2015.
https://www.ftc.gov/system/files/documents/reports/federal-trade-commission-staff-
report-november-2013-workshop-entitled-internet-things-privacy/150127iotrpt.pdf
ii. FDA - Content of Premarket Submissions for Management of Cybersecurity in
Medical Devices, FDA Guidance in October 2014.
http://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/Guida
nceDocuments/UCM356190.pdf
iii. FDA – Design Considerations and Pre- Market Submission Recommendations
for Interoperable Medical Devices, FDA Draft Guidance in January 2016.
http://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/Guida
nceDocuments/UCM482649.pdf
iv. EU Article 29 Committee - Opinion 9/2014 on the on Recent Developments on
the Internet of Things. http://ec.europa.eu/justice/data-protection/article-
29/documentation/opinion-recommendation/files/2014/wp223_en.pdf
v. UK Police - Internet of things: potential risk of crime and how to prevent it,
March 2015.
https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/41011
7/Internet_of_things_-_FINAL.pdf

19. Questions?
Presentation
Copies:
Jim Koenig
+1 610-246-4426
jimkoenig@paulhasting.com