Tuesday, March 09, 2021

 2021-03-09 CPRA, Sequel to CCPA -

Standardize your notification and opt-out regime - Effective January 2023. Expect other states to follow.

 2021-03-09 - Discovery and the Internet of Things

You know, those formerly mute devices that now communicate. And store lots of ESI. And operate on command. Makes life so much easier, set and forget, clap hands, say the word(s), and voila! But, things can, and will happen.

Consumer IoT devices (which, for brevity's sake will include services) run the connected gamut - from household appliance large and small, wearables, HVAC,  entertainment devices, medical devices, surveillance devices (here's looking at you, Ring), drones, and last but not least, consumer vehicles of all types.

Industrial Devices also run the connected gamut - from infrastructure (utilities, transportation), agriculture, manufacturing, industrial vehicles, and supply chain participants, to name  just a few.

All record, store, and transmit information, and if they don't it's likely the next generation will. What's being recorded, stored and transmitted? It depends on the device, but regardless of data (voice, electronic, etc.) input, its journey will likely take it from the device, send it over the internet (or through 5G)

What if what happens doesn't turn out too well and causes harm, injury, or a cybersecurity event? The universe of IoT devices may be divided roughly into two categories: Consumer and Industrial.

Suppose that one (or all - think class or mass litigation) of a particular model of device malfunctions and causes economic harm or injury to the buyer, or a non-buying user, and that litigation ensues. 

From a Litigation Intelligence perspective the discovery process now becomes even more complex. The parties will need to understand that the nearly-routine tasks of meeting and conferring to ascertain discovery scope, custodians, repositories and formats, is more nuanced for IoT devices and objects. 

Setting aside (but not de-emphasizing) scope and preservation obligations for the moment, some initial questions should be addressed;

1. Custodians - Who "owns" the data? Who programmed the device, the management platform, or the mobile app? Who has custody, control or possession? Who, or what is an IoT ESI custodian to begin with? IoT ESI, which could be output or firmware, or metadata, may be resident in a device, in a web (or 5G) management platform that controls the device, or in a computer backup real or virtualized.

2. Repositories - The IoT Device? Remote Management Platform? Mobile Device Interface? Cloud?

3. Formats - Proprietary formats means usability issues What about legacy or orphaned devices?

Stay tuned.