“Smart buildings” are not just buildings equipped with separate applications that can turn on the lights in response to vocal instructions or adjust room temperatures as the weather changes. Rather, in a smart building, various systems − heating, ventilation, lighting and security − are connected to each other to facilitate efficient and environmentally sound operations. Indeed, it is already possible to establish a system via the Internet of Things (IoT) that interconnects several smart buildings. New applications in space management, environmental monitoring, asset management, hygiene management and other emerging areas are forecasted to create US$ 2 billion in software and services revenues by 2026.
These connected devices generate valuable data, which owners and operators can aggregate, analyze and apply not only to improve building performance and understand occupants’ needs, but to predict larger market trends.
On the other hand, smart buildings raise operational cybersecurity issues since any entity that connects into a system can, if compromised, become a vector for an attack. The massive volumes of data generated by connected devices also bring with them serious concerns: not only operational issues, involving sensors, network connectivity, and storage power, but concerns about analytics – understanding what all the data means – and about security – protecting all of that data from those who want to steal and misuse it.
To address these risks, some companies have started embracing modern-scale technology as part of their everyday operations, with a particular focus on the security, privacy and reliability of their IoT devices. Meanwhile, regulators are entering the arena, expressing concerns about the potential threat to valuable personal data, and calling for heightened accountability for the property owners and operators of smart buildings.
In this article, we analyze the legal implications of operating smart buildings.
Smart buildings are smart
In a smart building system, a network of devices, empowered by sensing, processing, and communication units, detects real-world events, exchanges data, and reacts to the outside environment, monitoring certain processes and making corresponding decisions without human intervention. The data generated from such a network is a valuable asset that can be used to guide future management decisions and provide a foundation for even stronger building performance.
For example, many developers now offer myriad amenities to occupants of office buildings, such as multimedia entertainment rooms, rooftop decks, fitness centers and bars. They install and maintain such amenities not because they are following fads but because data analytics indicate their tenants or employees want them and will use and enjoy them. Long gone are the days when companies made decisions based on subjective thinking, guesswork, or the majority votes of senior managers. More and more often, real estate companies are relying on sensors and devices installed in their buildings to determine whether the amenities they provide represent the optimal use of building space. These devices give property managers real-time occupancy rates and historical usage data. A smart building system can also send notifications to occupants, unlock doors, and provide guidance in the event of an emergency by managing access control, security systems, and camera systems. Other smart building features include automatic control of routine maintenance tasks, such as ordering new light bulbs, optimizing HVAC systems by instantly streamlining heating and cooling of a space, detecting malfunctions and defects, and measuring and adjusting energy consumption via artificial intelligence-based machine learning. Smart buildings facilitate real-time data collection and provide automatic and remote control mechanisms, working far beyond the capabilities of conventional building control systems.
PropTech-equipped smart building systems resolve security and privacy issues
Such interconnected systems, however, make smart buildings more vulnerable to cyberattacks. One example is a 2017 incident in a Las Vegas casino, which was hacked via an Internet-connected thermometer in a lobby fish tank. Sensors in the fish tank, connected to the casino’s computer network, monitored the temperature, food levels, and cleanliness of the tank. The network connection, however, gave hackers a gateway into the casino’s main database, through which they were able to access high rollers’ personal information.
These cyber incidents may become more common as buildings incorporate technology and connected equipment to automate building operations. And, to make things worse, today’s hackers are going beyond basic ransomware (which holds a system hostage until a ransom is paid) to deploy siegeware − software that can take control of smart building devices, shutting down critical operations such as HVAC, lighting or security systems, and denying physical access to and from the building by occupants – and, in such siegeware cases, the control won’t be rescinded unless the hackers receive a ransom.
The typical responses to such cyberattacks include deploying a cyber-response team and carrying cyber-risk insurance to compensate for business losses that occur in the wake of a breach. In addition to these conventional methods, propTech-equipped companies are taking proactive steps, strengthening their IoT security by using heightened and advanced identity and access systems.
Networks are vulnerable to hacking mainly because of single points of gateway access. Emerging technology such as blockchain uses a distributed ledger to store recorded data, thereby decentralizing and securing data independently and lessening the range and degree of risk even if one of the interconnected devices is hacked. Further, blockchain’s resistance to data alteration significantly blocks attempts at IP address forgery, so that hackers cannot mask their identities and malicious intent by using fake access identities or otherwise temper a network’s setting. In terms of data privacy, all transactions stored on the blockchain are encrypted and are protected by a secure authentication mechanism to restrict data access. This “zero knowledge” technology ensures a verifiable proof of the private data’s validity without revealing any additional information other than the truth of the verified property. Thus, any usage or data is not easily traceable to sensitive personal information or the identity of a particular person. Highly confidential information can be stored off-chain and only transaction IDs (hashes) are recorded on the blockchain for verification purposes, providing a higher level of privacy for purposes of authorizing and issuing restricted permissions.
Smart tech, smart regulations
As new technologies are emerging, so, too, are new regulations and guidelines which largely focus on accountability and liability, given concerns that the collection and storage of digitized building data may disclose sensitive personal data. Unlike the European Union, the United States has not yet implemented comprehensive privacy and data protection laws. With a few exceptions (as noted in the below FTC recap), issues of privacy and the security of personal information are primarily regulated at the state level. There is currently no federal-level privacy law that would preempt state privacy laws. Many states have implemented laws regarding safeguarding data, disposal of data, privacy policies, appropriate use of personal information, and data breach notification.
State privacy laws
The most significant state privacy law is the California Consumer Privacy Act of 2018 (CCPA), effective January 1, 2020. The CCPA imposes substantial requirements on the collection, use, and disclosure of personal information. CCPA applies to any “business” that collects personal data about California residents. CCPA defines a “business” as a for-profit legal entity that collects and determines how California residents’ personal data is processed and meets one of the following requirements: (1) has annual gross revenue in excess of $25 million (revenue of the company in total, not solely revenue derived from California); (2) annually buys, sells, receives, or shares the personal data of 50,000 California residents; or (3) derives 50 percent of its annual revenues from selling California residents’ personal data. A business also includes any entity that is controlled by the business and shares common branding. CCPA requires businesses to provide a detailed notice to California residents that describes the business’s personal data processing and rights. Businesses are required to provide California residents, upon request, detailed descriptions of how the business discloses their personal data to service providers and third parties.
California IoT law
California’s Internet of Things (IoT) Security Law went into effect on January 1, 2020 (SB-327). It is the first IoT-specific security law in the United States, requiring manufacturers of “connected devices” that sell their products in California to incorporate “reasonable security features” appropriate to the nature and function of the device and the information it may collect or transmit. The law is designed to protect the device and any information from unauthorized access, destruction, use, modification or disclosure, wherever the device is made.
Both manufacturing companies and companies contracted to manufacture IoT devices sold in California need to comply with the new law. The law does contain several exclusions, including security vulnerabilities caused by user installation of third-party software – although, since the interconnectivity of third-party software may be the source of a security breach, it remains uncertain whether “manufacturers” are liable for connected device interactions with such third-party software. A “connected device” is defined quite broadly and means any device or “other physical object” that is capable of connecting to the internet (even by being paired with another device) and assigned an IP or Bluetooth address. The law is not limited to mere consumer devices. This definition potentially covers features used in a smart building, such as smart thermostats, keycard readers, security cameras, environmental control panels and light bulbs.
The “reasonable security features” requirement also includes broad standards. But SB-327 offers some clarifications. If the device is subject to authentication outside a local area network, then the law clarifies that “reasonable security” means the device should contain a unique preprogrammed password or require a user to generate a new means of authentication prior to initial access being granted. For devices without means for authentication outside a local area network, the standard will be industry- and device-specific, recognizing the ever-evolving nature of cybersecurity technologies by requiring features “appropriate to the nature of the device and the information it collects.” But note that this guidance relates only to the authentication aspect of the device. The remaining requirements of the law still mandate broadly defined reasonable security features beyond just authentication.
State breach notification laws
All 50 states plus two territories and the District of Columbia in the United States have enacted mandatory data breach notification laws. Such laws apply if certain data elements are accessed or acquired by unauthorized parties. In the event of a data security breach, the state laws require data owners to provide written notification to affected individuals. Several states’ laws require notification to be made within a certain time period and require the notifications to include specific information about the security breach. Approximately half of the states also require notice to a state regulator.
States that require notices to include certain content typically require the notice to individuals to include: (i) the identity of the notifying entity, including contact information; (ii) a description of the incident, including the date it was discovered; (iii) the categories of personal data affected; (iv) steps the individual can take to protect themselves against identity theft; and (v) contact information for the Federal Trade Commission (FTC) and the national consumer reporting agencies. The majority of state data security breach notification laws also provide a safe harbor from the laws’ notification requirements if the personal data affected by the security breach was encrypted and the encryption key was not affected by the security breach.
Certain states, such as Maryland, extend the liable parties to those who maintain the data. The Maryland Personal Information Protection Act Amendment (effective October 1, 2019) extends the state’s existing data breach requirements to personal information maintained by a business in addition to personal information owned or licensed by a business. Those businesses that simply maintain personal data may not charge the owner or licensee a fee for providing the information needed to notify Maryland residents.
State data security laws
Several state laws require data owners to implement reasonable proactive security measures to protect the personal data they collect from their states’ residents. These laws generally require a data owner to implement reasonable security procedures and practices appropriate to the nature of the information, and to protect the personal data from unauthorized access, destruction, use, modification or disclosure – and apply in the context of information maintained about both customers and employees.
New York’s Stop Hacks and Improve Electronic Data Security Act (the first four provisions went into effect on October 23, 2019, while the last one mandating security requirements goes into effect on March 21, 2020) expands the state’s current data breach law and imposes affirmative cybersecurity obligations on covered entities. It expands the scope of information subject to the current data breach notification law to include biometric information and email addresses and their corresponding passwords or security questions and answers. Further, it broadens the definition of a data breach to include unauthorized access to private information. It applies the notification requirement to any business with private information of a New York resident, not just to those that conduct business in New York State.
The Maryland Personal Information Protection Act requires businesses to conduct, in good faith, a reasonable and prompt investigation following a data breach to determine the likelihood that personal information of the individual has been or will be misused as a result of the breach.
Massachusetts law requires companies to maintain an preventative incident response plan that addresses how a company would respond to a cybersecurity incident.
Certain states, in addition to requiring an entity to maintain appropriate security measures, extend contractual obligations and liabilities to covered third-party entities. For example, Massachusetts data security regulations require that contracts with third-party service providers should, at a minimum, require the provider to implement and maintain reasonable security procedures and practices appropriate to the nature of the information and to protect the personal data from unauthorized access, destruction, use, modification or disclosure; and require the third-party provider to notify the data owner in the event of a security breach so the data owner can comply with the state data security breach notification requirements.
More and more real estate companies have started adding data protection and privacy provisions to their property management agreements and third party vendor agreements and imposing obligations upon property managers to comply with such regulations and implement appropriate security measures.
The privacy or security practice may be subject to FTC’s unfair and deceptive trade practices
At the federal level, the FTC – which has trade and regulatory jurisdiction over non-bank financial institutions – expects data owners to implement and maintain reasonable security procedures and practices appropriate to the nature of the personal data they collect and to protect the personal data from unauthorized access, destruction, use, modification or disclosure. To this end, the FTC has released a set of guidelines for businesses to follow to better protect consumer privacy and security. In recent years, the FTC has focused more on security measures, emphasizing that companies should take measures to safeguard personal data, maintain cyber response processes, and train on those processes.
For companies’ security measures, the FTC uses Section 5 of the FTC Act’s prohibition on “unfair and deceptive” trade practices as the basis of enforcement for privacy- and data security-related issues. When alleging that a privacy or security practice is deceptive, the FTC reviews the representations that a company makes (or fails to make) to consumers about its privacy or security practices. A statement is deceptive if there is a “representation, omission or practice that is likely to mislead the consumer acting reasonably in the circumstances, to the consumer’s detriment.” Under Section 5 of the FTC Act and the FTC’s guidance, a company must provide accurate and complete disclosures to, and for certain practices, obtain consent from, consumers regarding the company’s collection, use and disclosure of personal data. The FTC has enforced its “guidance” against companies that did not follow such guidance or that engaged in practices similar to those found to be “unfair” or “deceptive” in prior consent decrees.
In addition to the federal FTC Act, each state has also enacted so-called “mini-FTC Acts” that provide state regulators with the ability to take actions against unfair and deceptive trade practices, which state regulators use to address privacy and data security related issues.
Historically, the three most important concerns in the real estate industry were “location, location and location.” Now “location, data and security” is becoming the new norm. Real estate companies can enjoy a competitive advantage in setting up data-driven services, but need to be mindful that data security and privacy will have a decisive impact on the success of their new business models.
The manufacturers and technology companies who design and implement IoT and the building owners and operators who contract with such IoT services in their smart buildings are being called upon to ensure greater transparency and accountability – transparency about how occupants’ data and information is used and accountability for actions to safeguard privacy.
In the coming years, we will see advanced standards for IoT device security and development of system-wide cybersecurity for smart buildings to ensure that all connected devices can communicate securely. We will also see rapid change in the data security and privacy legal landscape that regulates technology companies, owners and operators.
Prudent owners and operators of smart buildings are already taking important and necessary steps in this direction by implementing protocols to safeguard electronic data and enforcing data management guidelines that include clarity on who’s managing the data, what the data will be used for, and whether it will be sold to third parties.
But more work remains to be done. Such measures will require a comprehensive implementation strategy adopted by businesses to monitor data flow, enhance security measures, conduct periodic risk evaluations, minimize the collection and sharing of personal data, and prevent unauthorized use of personal and sensitive information. And any such successful strategy will require a systematic mechanism to identify vulnerabilities through the supply chain and reduce the potential for harm to the owners’ and operators’ systems.
Learn more about the evolving legal landscape around smart building by contacting either of the authors.