1

The Internet of Things

Suzanne Bell (Wilson Sonsini Goodrich & Rosati) Tracy Shapiro (Wilson Sonsini Goodrich & Rosati)

Vineet Shahani (Nest Labs)

2

Defining the Internet of Things� There have been prior attempts at defining IoT.

� The January 2015 FTC Staff Report acknowledges that there is “still no widely accepted definition” of the Internet of Things.

� For the purpose of the report, the FTC opted to define the IoT “to refer to ‘things’ such as devices or sensors – other than computers, smartphones, or tablets – that connect, communicate or transmit information with or between each other through the Internet.”

� The FTC expressly limited the discussion to devices “sold to or used by consumers” and omitted “devices sold in a business-to-business context, such as sensors in hotel or airport networks . . . [or] broader machine-to-machine communications that enable businesses to track inventory, functionality, or efficiency.”

3

Market Size and Growth

�By 2020, Juniper Research estimates that the number of IoT endpoints will be 39 billion, a rise of more than 285%, while IDC Research estimates a rise to 29.5 billion.

� IDC estimates that the market will grow from $655.8 billion in 2014 to $1.7 trillion in 2020.

4

Go-To-Market Strategies

�Direct to consumers

� Through resellers

�Via service providers

�By means of systems integrators

�With partners

�Using developer programs– Devices– Apps

�Hybrid models, e.g. a service provider or systems integrator can also be a developer

5

Key Commercial Terms - Channels

� Where does the software reside? And who needs a license to it?

– Device– Vendor – Service provider– Cloud or on-premises hosting

� How is the end user bound . . .

and to whom?

� Updates/support/end of life are

tricky for installed devices

� Service level obligations . . . for everyone

6

Key Commercial Terms – Channels (continued)

� Be concerned about how you can be designed out

� And how you can draft to avoid later IP claims

from your channel partners

� Who collects/stores/uses data, and how?

(more about that later)

� Security at every level

� How do you handle the installed base

on termination?

7

Key Commercial Terms – Channels (continued)

� Who has the responsibility for standards compliance and patent licensing?

� How is interoperability maintained?

� Those pesky indemnities . . .

they’re harder when everything’s

connected in a system

� Don’t forget insurance . . .

product liability is a real concern

� And a word about regulatory

8

Key Commercial Terms – End Users

�What could go wrong? – Data loss– Identity theft– Home invasion / burglary– Accident, injury– Loss of value

�And how do you best protect

or warn consumers?

�How is the end user bound?– What about updates and new terms for new

services?

�Dispute resolution (of course)

9

Data, Data, Data

�Big data is here– each of the participants in the IoT network of devices

an interest in the data that’s generated/collected

�How to reconcile everyone’s competing interests

�While keeping the data secure

�And complying with law and regulation

10

Privacy and Data Security

11

Privacy Challenges

�Data minimization– Data-driven innovation

�Notice and choice– Burdensome– Small or no screen

12

Data Security Challenges

�Data breaches– Numerous points of

intrusion– Risk to local corporate

data assets

�Hacks– ThingBots

�Safety risks– Jeep Cherokee hack

13

Privacy and Security Regulation

� Federal Trade Commission

�Congress

�White House

�Administrative agencies

14

Federal Trade Commission

� 2015 IoT Report

�Section 5 authority

�Wyndham (2015)

� TRENDnet settlment

�Enforcement risk is real and high

15

Congress and the White House

�Congressional hearings– Generates investigations

�White House IoT security certification program– Call for IoT Standards

16

Additional Administrative Agencies and Laws

�Connected Cars– FTC, National Highway Safety Administration, state

attorneys general, state public utilities commissions

�Connected medical devices– FDA, likely FTC, state attorneys general

�Connected toys– COPPA implications

17

Privacy and Security Self-Regulation

Examples:

�Automobile Industry Voluntary Code

�DAA Principles

�Nest standards

18

Privacy and Security Litigation Risks

�Media attention– Samsung Smart TVs

�Class action risks– Toyota, Ford, and

General Motors

19

Practical Considerations for Launching an IoT Product

� Privacy by design– Data minimization– Data de-identification– Notice and choice

� Security by design– Built into devices at the outset – Continuous risk assessments– Smart defaults – Pre-launch testing of security measures– Consider security at multiple levels in the product chain– Security measures for data transit and storage– Authentication

� Personnel practices should promote good security

� Service provider practices

20

IoT Standards

� There are a lot of them! And that can be a problem. – Thread, – AllJoyn/Allseen Alliance, – ZigBee Alliance, – Z-Wave, – Apple HomeKit, – IoTivity/Open Internet Consortium, – Industrial Internet Consortium, – ITU-T SG20, and – IEEE P2413, – among many others.

21

Questions and Comments?

22

SUZANNE Y. BELLPartner

Technology TransactionsIntellectual PropertyConsumer Regulatory & PrivacyEnergy Innovation & Clean TechnologyGlobal Outsourcing TransactionsOpen SourceRetail, Consumer & Advertising

ASSOCIATIONS AND MEMBERSHIPS :• Member, Board of Directors, Girl Scouts of

Northern California • Former Member, National Board of Directors,

Watermark (formerly Forum for Women Entrepreneurs & Executives)

• Former Member, Columbia Engineering Board of Visitors, Columbia University

EXPERIENCE:Suzanne Bell is a partner at Wilson Sonsini Goodrich & Rosati in the technology transactions practice. She joined the firm in 1988 and was promoted to partner in 1995. Suzanne handles technology and intellectual property transactions—with an emphasis on complex strategic alliances and outsourcing transactions—for a wide range of software, electronics, telecommunications, cloud computing, digital media, Internet, and clean technology companies. Her practice also includes strategic intellectual property asset purchases and sales; technology mergers, acquisitions, and spin-offs; and intellectual property litigation settlement agreements. Suzanne's practice includes both growth and mature companies, and she has advised many of Silicon Valley's most prominent companies from start-up to maturity.

Suzanne is the leader of the technology transactions-IT practice, which has grown from five attorneys to over 40 during her tenure. She also participates in the management of the firm in various capacities. Suzanne is a member of the Strategic Practice Development Committee and previously has served on the firm's board of directors, Policy Committee, Operations Committee, Compensation Committee, Nominating Committee, Management Committee, and Strategic Planning Committee.

23

TRACY SHAPIROOf Counsel

Privacy & Data ProtectionConsumer Regulatory & PrivacyInternet Strategy & LitigationRetail, Consumer & Advertising

EDUCATION:� J.D., George Washington University Law

School, 2001

� Magna Cum Laude

� B.A., Political Science, University of California, Berkeley, 1996

ASSOCIATIONS AND MEMBERSHIPS :

� Member, International Association of Privacy Professionals

EXPERIENCE:Tracy Shapiro is Of Counsel in the San Francisco office of Wilson Sonsini Goodrich & Rosati, where her practice focuses on privacy, data security, advertising, and marketing practices. Tracy has extensive experience counseling technology clients on compliance with privacy laws, including the FTC Act, the Children's Online Privacy Protection Act (COPPA), and EU privacy laws. She has counseled on advertising and marketing laws such as CAN-SPAM, and on the use of social media to ensure compliance with the FTC's Endorsement Guidelines. She also has advised on and written rules for promotions

Tracy spent six years (2005-2011) as an attorney at the Federal Trade Commission (FTC) in the Bureau of Consumer Protection's Division of Privacy and Identity Protection and the Division of Advertising Practices, where she focused on consumer privacy, data security, and advertising. She helped create principles for industry self-regulation in the area of online behavioral advertising, and she led the FTC's first enforcement action involving online behavioral advertising. She also litigated spyware and adware cases and brought actions enforcing the principles set forth in the FTC's Endorsement Guidelines. After her government service, Tracy worked as in-house counsel for Yahoo!, where she advised on privacy, advertising, and marketing laws. Tracy began her legal career as an IP litigator at a variety of law firms. She previously served as a legislative assistant to U.S. Congressman Brad Sherman.