close up of apple watch on person's wrist displaying flight information
PHOTO: David Preston

According to estimates from Gartner, there will be approximately 20.4 billion connected devices by 2020. About 8.4 billion of those devices will be consumer products: wearables, smart TVs, smart lightbulbs, etc. Add in intelligent electric meters, manufacturing equipment that sends you an alert that a problem is developing, logistics systems that guide trucks to the least-congested routes, and I think we’ll get to a place where it will seem strange if something isn’t connected.

Digital Policies for IoT Devices

As exciting as it all is, I also find it a little unnerving. It reminds me of the early days of the internet when we were developing new things as fast as we could, while rarely thinking of the potential consequences. Since then, my experience as a digital governance consultant has made me all too aware of how dangerous that was — and how lucky we were to survive it relatively unscathed. 

But I sense that particular demon lurking in the background again, waiting to see if we make the same mistakes in the mad race to roll out the internet of things.

So whether the internet of things is the whole point of your business or you’re adding IoT connectivity to your legacy products, I can't stress enough how important it is to build the IoT on a foundation of strong digital policies. And you do that by having some candid conversations about what could go wrong and then establishing policies to keep those negative outcomes from happening.

Related Article: Digital Policies Create Opportunities

What Do You Mean, 'What Could Go Wrong?'

No developer who's excited about a new project wants to focus on what could go wrong, but that's precisely what must be done. Here are some of the questions that would be smart to ask when developing digital policies for IoT:

Considerations for Consumer Products

  • Security — Security is a big issue with IoT devices intended for consumers: What will your minimum standards be? How can you mitigate these issues with your customers? Can you include coding, for instance, that forces them to change the default password on a connected device after a certain amount of time has passed? (Currently, 15 percent of people who own connected devices never change the default password.)
  • Software Updates — What about software updates? Should your devices update automatically? Should customers be able to prohibit them from updating automatically? If so, what sort of problems might arise from outdated software? How should you go about reminding consumers of needed updates and explaining their importance?
  • WiFi Drag — Do customers understand that connected devices add to the load on their WiFi network and could, therefore, slow things down? Should you communicate that to customers before or after purchase? What support should you offer customers who suffer a dip in their WiFi performance after installing your device?
  • Analog Options — Should customers still have the opportunity to buy “analog" versions of your connected products? A refrigerator that keeps things cold, for example? Will doing so make you more or less competitive? And should you charge more for devices that aren't connected to make up for the lost data-mining opportunities? How will you explain that to customers, and what kind of backlash might ensue?
  • Feature Override — Should customers be able to override certain features? For instance, should customers be able to override a “low ink” warning on their connected printer? If not, what kind of social media crisis could ensue — from, for example, a stressed-out college student who’s trying to finish a paper in the middle of the night and doesn’t have a way to get more ink?
  • Override Oversight — If you do choose to allow user overrides, what criteria should you use to make that decision? In what situations could allowing overrides be harmful?
  • User Controls — What are the opportunities for misuse (such as Alexa allowing children to order dollhouses), and what user controls should be put in place to prevent such misuse?
  • Healthcare-Specific Responsibilities — What about healthcare wearables, one of the fast-growing segments of IoT devices? The recently revealed Apple Watch Series 4, for example, has FDA approval to take EKG readings. So consumers might take a reading if their heart rate feels off, for example. But what will the consumers do with that information? Will they call their doctors, rush to the emergency room, ignore it, etc.? If consumers have access to more (and constant) data about things like blood pressure, heart rate and more, whose job is it to educate them on what merits a call to the doctor (or 911)? Who will be responsible for validating the accuracy and relevance of that information? How will that information be incorporated into your customer support materials?
  • Support Considerations — How often will you support and update older models? Will you decide to stop supporting older models so that consumers will be forced to buy new ones? What backlash might that cause from consumers?
  • Device Malfunctions — What are your responsibilities when it comes to device malfunctions? For example, some people with diabetes use a special watch to monitor and manage their blood glucose levels. But what if a device fails to detect a dangerous change in blood glucose? Should the device warn the user that it’s malfunctioning, and should users be advised to carry old-fashioned testing kits as a backup? And how should those situations be considered when conducting risk analysis?

Related Article: Ask Digital Experts to Help Define Your Digital Policies

Considerations for Industrial/Commercial Devices

  • Uptime Rates — When it comes to your industrial and commercial devices, what will be your standards for uptime? Should that change according to the purpose of the IoT device? (An acceptable uptime rate for a device that allows a nurse to monitor the vitals of multiple patients remotely, for example, would probably be higher than for one that adjusts the thermostat at quitting time.)
  • Maintenance Scheduling — If you're in the industrial IoT market, how will you coordinate the required updates and maintenance with your clients' schedules?
  • Data Regulations and Restrictions — If your devices are used in transportation, what information are they legally required to record (or prohibited from recording) by the countries where you operate? If requirements change from one country to another, how will you ensure overall compliance?
  • Adherence to OSHA — If your devices will be used in manufacturing plants, how will you ensure that plant employees will be able to use, install, repair, and replace them without violating Occupational Safety and Health Administration (OSHA) regulations?
  • Tamper-Proofing — How will you ensure your devices can’t be tampered with (by truck drivers wanting to get more hours after they’ve maxed out, for example)?

Related Article: 7 Big Problems With the Internet of Things

Welcome a New Layer to Your Digital Policy Program

As you can see, there’s a LOT to think about when it comes to developing digital policies for your IoT devices (the lists above barely count as an appetizer!). So how can you ensure that you cover all of these issues? The answer is to treat your IoT devices just like any other digital property by developing comprehensive IoT policies — and making sure that no IoT device rolls out without being examined through the lens of those policies.

If you already have a digital policy program, this adds another layer. If you don't already have digital policies, your organization is at higher risk than you may realize. In that case, I strongly encourage you to consider working with an expert to help you get up to speed.