From our homes to our workplaces, the deployment of smart technology is becoming increasingly prevalent. The Wall Street Journal notes that smart-building-related companies raised $2.88 billion in venture capital in 2021. In previous posts, we’ve discussed the increased use of smart technology in commercial real estate, the importance of a thorough and rigorous research and evaluation process, and various factors to consider in contracts for smart technology. These evaluation and contract processes are vital for developing security guardrails to which smart technology suppliers must adhere. A rigorous, security-centric approach to smart home technology can help protect real estate companies from catastrophic PR and financial fallout from a security incident such as the Mirai malware attack in 2016 that targeted insecure Internet of Things (IoT) devices. The average cost of data breach incidents increases with each year and, in 2021, the average cost of a data breach incident was $4.24 million. More than ever, companies must not only be aware of the cybersecurity risks of these technologies but take the necessary steps to address their vulnerabilities.
As IoT connectivity increases, cybersecurity risks increase exponentially. Each smart item that increases the convenience of the building—such as cameras that recognize an employee’s face and hail elevators for them, air quality monitors, speakers, doors, and security systems—presents a security vulnerability point in the building’s cybersecurity environment. Each connectivity point is one that hackers can target. Remember that hackers only need one point of entry: Hackers stole 40 million credit and debit card numbers from Target by targeting Target’s HVAC contractor in one of the biggest known corporate breaches in U.S. history.
The increase in smart technology poses unique privacy and security concerns. What data is being collected, how much, and for how long? Is the smart technology solution collecting personal contact information, and is the solution sharing that data with third parties? Are devices with cameras collecting, storing and sharing images? If so, for how long will the recorded images be stored, and where? Will employees have access to that data? How will the company handle images of children or other sensitive recordings? If voice recognition is involved, is the device “always listening” and storing and sharing conversations? Individuals are increasingly aware of reductions to their privacy; however, consumers and employees still have expectations of privacy in their homes and offices. It is imperative that companies know what data is being collected and develop internal controls to manage the data while also requiring suppliers to adhere to rigorous privacy standards.
All companies collecting personally identifiable information must abide by state, federal, and international laws regarding data privacy. This regulatory framework is made even more challenging due to the fact that these laws are in a constant state of change. In the U.S., states are increasingly passing data privacy laws that both create consumer rights and impose security and assessment requirements on businesses. Companies in regulated industries (such as financial services) must contend with heightened security protocol requirements and additional data privacy laws. Regulations may put responsibility on companies to protect themselves from breaches, whether accidental or not. Companies should ensure contracts with vendors require vendors to address security concerns as part of a holistic approach to protecting the enterprise and its end users.
This array of vulnerabilities, sensitivities and responsibilities may seem daunting, but property owners can greatly mitigate their risks through robust security provisions in contracts and by refining internal operational protocols.
Contractual: To the extent that smart technologies and services are outsourced to third parties, contracts should account for how the supplier will protect any data collected, processed, stored, and shared. Contracts should also limit the collecting, processing, storing, and sharing of data to what is necessary. Make sure the contracts allocate the risks for any potential security breaches. Contracts should also outline the measures the supplier must take following a data security incident. Consider including audit rights to perform a review of the supplier’s systems before and after any incidents. Contractual commitments may mean that the supplier is held liable in the case of a data breach due to flaws in its technology, services or security protocols.
Operational: In addition to contractual precautions, companies can implement operational changes to better protect themselves against any potential data security incidents. Companies should limit the devices processing sensitive information and limiting the access each connected technology has to strictly necessary information. Devices processing sensitive information should also be moved or isolated to separate networks with increased security controls. Safeguard access to sensitive systems and applications using multifactor authentication and limit those with highly privileged access. Companies should revisit and update any security protocols they have in place. Consider hiring personnel with data security expertise and train employees on protocols and ensure they understand the policies. Implementing these operational components can supplement risk mitigation provisions in contracts.
Smart buildings and homes will continue to take over our skylines, for though smart technologies bring with them increased information security risks, they also allow for operational efficiencies and personal convenience that leaseholders and occupants alike will be unwilling to relinquish once gained. Implementing and utilizing these innovative technologies and services requires a careful strategy in order to mitigate those security risks. Ultimately, smart technologies are here to stay, and those who take the necessary steps now stand to reap the benefits for years to come.