Managing IoT Risk & Responsibility
Peter Westerman, VP Market Development
In my last post I gave a brief general overview of IoT for Insurance and legal professionals – along with some privacy and security implications. In this post, I’ll expand on that and look at some implications for Insurance and wellness.
Wellness, Life Health and Privacy
There are an array of new technologies that offer the potential to improve our health. Whether we’re seeking to be more fit, manage a chronic condition, or monitor a loved one’s health, there’s a cornucopia of new devices and software applications coming to market to do all of that and more.
The potential for improvements in lifestyle and health are tremendous, but there are also risks. The devices and applications have all the same vulnerabilities discussed previously, but they also introduce new issues related to privacy and what the institutions you interact with (insurance companies, employers, governments, retailers, etc.) should know about us.
Those opting into their company’s wellness program and agreeing to be monitored are more than likely to be monitored 24 hours a day – not just during work hours. Potentially their blood pressure, blood sugar respiration, heart rate – maybe someday where they are and who they’re with—will all be recorded, a vast trove of breadcrumbs giving deep insight into their lifestyle.
While the data is ostensibly collected and maintained by a third party administrator, in practice it might be difficult for them to keep that data anonymized from your employer – and once the data is generated and associated with you, there’s no guarantee it won’t be used for other, unintended purposes in the future. In practice, keeping such large volumes of personally identifiable data, handled by so many parties secure over a person’s lifetime – or longer – will be a challenge.
So, how should damages be assessed if a person’s risk profile is stolen, and released impacting future insurance coverages, loan approvals, employment, etc. for the rest of their life?
Employees are at disadvantage here. As a condition of employment, or preferred insurance benefits, they may need to consent to collection and analysis of deeply personal information that companies have demonstrated a poor record of protecting.
And who owns all this data? And what rights do the owners have in the primary data, and derivative analytics?
Moral Hazards in The Connected Economy
The Association of Computing Machinery’s Code of Ethics and Professional Conduct provides a useful framework for guiding development of products and services:
- Contribute to society and human well-being.
- Avoid Harm to Others
- Be Honest and trustworthy
1.4 Be fair and take action not to discriminate.
1.7 Respect the privacy of others.
2.5 Give comprehensive and thorough evaluations of computer systems and their impacts, including analysis of possible risks.
3.1 Articulate social responsibilities of members of an organizational unit and encourage full acceptance of those responsibilities.
Likewise, the IEEE Code of Ethics contains:
- To accept responsibility in making decisions consistent with the safety, health, and welfare of the public, and to disclose promptly factors that might endanger the public or the environment; to improve the understanding of technology; its appropriate application, and potential consequences;
All worthy, but there’s evidence that in a world of pervasive computing – where product designers, engineers and marketers are coming from increasingly diverse backgrounds, professionals with experience in product liability, privacy and compliance need to be more assertive in helping guide development of IoT devices and services. Insurance, legal and other risk management professionals can play valuable roles in holding technologists to these standards.
One of my hypotheses related to IoT, is in systems where a web of technologies are stitched together in often unforeseen ways, there’s a danger that the humans that created each of the sub-systems bears no responsibility for the sum of the parts. The more abstracted the people are from the final product(s), the less responsibility they feel for the final outcomes.
There is a lot of great engineering going on related to The Internet of Things, but we all need to be vigilant about all the software, devices and data handling practices in our eco-systems since in some cases the weakest link can create significant problems.
Two things are certain. We’re all going to see products and services that we never thought would exist in our lifetimes, and there’s never been a more interesting time to be a lawyer or insurance professional dealing with the impacts of technology on our society – and you have important roles to play in assuring we realize the full benefits of The Internet of Things.
Peter is responsible for developing new products and product extensions for the customers ALM serves, as well as analyzing reader behavior and usage patterns. He is currently driving several initiatives related to impact of technology on the markets served by ALM including cybersecurity, Internet of Things, Digital Automation, and Big Data & Analytics. Peter has more than 25 years of experience managing all aspects of digital transformation of business-to-business information products, including live events, web sites, research, and publications.