According to estimates from Gartner, there will be approximately 20.4 billion connected devices by 2020. About 8.4 billion of those devices will be consumer products: wearables, smart TVs, smart light bulbs, etc. Add in smart electric meters, manufacturing equipment that sends you an alert that a problem is developing, and logistics systems that guide trucks to the least-congested routes, and I think we’ll get to a place where it will seem strange if something isn’t connected.
Digital Policies for IoT Devices
As exciting as it all is, I also find it a little unnerving. It reminds me of the early days of the internet, when we were developing new things as fast as we could, while rarely thinking of the potential consequences. Since then, my experience as a digital governance consultant has made me all too aware of how dangerous that was, and how lucky we were to survive it relatively unscathed. I sense that particular demon lurking in the background again, waiting to see if we make the same mistakes in the mad race to roll out the Internet of Things (IoT).
Whether IoT is the whole point of your business or you’re simply adding IoT connectivity to your legacy products, I can’t stress enough how important it is to build IoT on a foundation of strong digital policies. You do that by having some very honest conversations about what could go wrong and then establishing policies to keep those things from happening.
What Do You Mean, “What Could Go Wrong?”
No developer who’s all excited about a new project wants to focus on what could go wrong, but that’s exactly what must be done. Here are some of the questions that would be smart to ask when developing digital policies for IoT:
What about security, which is a big issue with IoT devices intended for consumers? What will your minimum standards be? How can you mitigate these issues with your customers? Can you include coding, for instance, that forces them to change the default password on a connected device after a certain amount of time has passed? (Currently, 15% of people who own connected devices never change the default password.)
What about software updates? Should your devices update automatically? Should customers be able to prohibit them from updating automatically? If so, what sort of problems might arise from outdated software? How should you go about reminding consumers of needed updates and explaining their importance?
Do customers understand that connected devices add to the load on their WiFi network and could
Should customers still have the opportunity to buy analog versions of your connected products? A refrigerator that simply keeps things cold, for example? Will doing so make you more or less competitive? And should you charge more for devices that aren’t connected to make up for the lost data-mining opportunities? How will you explain that to customers, and what kind of backlash might ensue?
Should customers be able to override certain features? For instance, should customers be able to override a “low ink” warning on their connected printer? If not, what kind of social media crisis could ensue, such as from having a stressed-out college student who’s trying to finish a paper in the middle of the night but doesn’t have a way to get more ink?
If you do choose to allow user overrides, what criteria should you use to make that decision? In what situations could allowing overrides be harmful?
What are the opportunities for misuse (such as Alexa allowing children to order dollhouses), and what user controls should be put in place to prevent such misuse?
What about healthcare wearables, one of the fast-growing segments of IoT devices? The recently revealed Apple Watch Series 4, for example, has FDA approval to take EKG readings. Consumers might take a reading if their heart rate feels off, for example. But what will the consumers do with that information? Will they call their doctors, rush to the emergency room, ignore it, etc.? If consumers have access to more (and constant) data about things like blood pressure, heart rate, etc., whose job is it to educate them on what merits a call to the doctor (or 911)? Who will be responsible for validating the accuracy and relevance of that information? How will that information be incorporated into your customer support materials?
How often will you support and update older models? Will you make the decision to stop supporting older models so that consumers will be forced to buy new ones? What backlash might that cause from consumers?
What are your responsibilities when it comes to device malfunctions? For example, some people with diabetes use a special watch to monitor and manage their blood glucose levels. But what if the device fails to detect a dangerous change in blood glucose? Should the device warn the user that it’s malfunctioning, and should users be advised to carry old-fashioned testing kits as a backup? How should those situations be considered when conducting risk analysis?
When it comes to your industrial and commercial devices, what will be your standards for uptime? Should that change according to the purpose of the IoT device? (An acceptable uptime rate for a device that allows a nurse to monitor the vitals of multiple patients remotely, for example, would probably be higher than for one who adjusts the thermostat at quitting time.)
If you’re in the industrial IoT market, how will you coordinate required updates and maintenance with your clients’ schedules?
If your devices are used in transportation, what information are they legally required to record (or prohibited from recording) by the countries where you operate? If requirements change from one country to another, how will you ensure overall compliance?
If your devices will be used in manufacturing plants, how will you ensure that plant employees will be able to use, install, repair, and replace them without violating OSHA regulations?
How will you ensure your devices can’t be tampered with (by truck drivers wanting to get more hours after they’ve maxed out, for example)?
As you can see, there’s a LOT to think about when it comes to developing digital policies for your IoT devices (this barely counts as an appetizer!). So, how can you ensure that all these issues are covered? The answer is to treat your IoT devices just like any other digital property by developing comprehensive IoT policies and making sure no IoT device rolls out without being examined through the lens of those policies.
If you already have a digital policy program, this simply adds another layer. If you don’t already have digital policies, your organization is at greater risk than you may realize. In that case, I strongly encourage you to consider working with a digital policy expert to help you get up to speed.
Written by Kristina Podnar, Digital Policy Consultant at NativeTrust Consulting, LLC.