Wearables have been on the market for quite some time, though the definition of them has certainly changed over the years. Wearables have become far more capable in the past decade, bringing with them a barrage of other issues that need to be addressed. Chief among them is how these devices should be regulated, and by whom.
When you crunch the numbers, wearables have been an overwhelming success, and they are much appreciated by their consumers. The number of connected devices in the world was a modest 525 million in 2016, but it is expected to skyrocket to 1.1 billion by 2022. It’s estimated that 167 million smartwatches and wristbands will be shipped that same year.
It’s clear that wearable technology is a commercial success, giving those who research and create it more than enough reason to pursue its continued manufacturing, but there are major concerns regarding security that need to be addressed.
Wearables present security risks that all businesses need to address. One example of wearable devices accidentally leaking data comes from a heat mapping feature of the Strava fitness application, which accidentally revealed the locations of classified military bases. Wearable devices are also not updated as frequently as other devices, meaning that they could be more likely to contribute to a DDoS attack as part of a botnet or provide hackers with an unsecured network access point.
It’s also important to consider that these devices tend to collect data. In many ways, the data collected by these devices can be considered disadvantageous to the user, so they will need to consider how the data could be used by any of their devices.
Any technology that makes a big enough splash is one that will eventually be subject to regulations. However, the governing bodies and organizations that would put these regulations in place might not be able to do so at any given time. Here are a few to consider:
The Federal Food, Drug, and Cosmetic Act doesn’t have any power of wearables--even medical devices--because they are defined as a “low-risk general wellness product.” Therefore, the manufacturer’s intended use of the device is what defines it as a medical device or not, meaning that devices that are put together by wearable manufacturers won’t be classified under this umbrella term according to the FD&C Act’s standards.
The Health Insurance Portability and Accountability Act protects the individual’s right to their health information. HIPAA provides many protections, but it doesn’t specifically cover wearable technology. Wearable manufacturers also aren’t touched by the secondary use of health data, which is the use of personal health information beyond the direct delivery of healthcare. Considering how all data is produced by a consumer and not a covered entity, the secondary use of health data doesn’t apply.
The Federal Trade Commission can go after companies that are carrying out deceptive practices, including a failure to comply with a privacy policy. This covers entities that are covered and not covered by HIPAA, and the FTC Act dictates how non-covered entities handle their health information-related security practices. The FTC can also bring on legal action against these organizations who are careless with consumer information, whether it’s violated privacy rights or a failure to keep proper security measures.
The FTC has made its stance on wearables clear. In 2017, the FTC reported that few companies ever discuss their cross-device tracking practices in their privacy policies. Cross-device tracking can allow multiple devices to be associated with a single user by linking that user’s activities across the devices. Therefore, the FTC Act is probably one of the more effective ways of keeping wearable companies accountable for their actions.
What are your thoughts on these devices? Let us know in the comments.