Recently, IoT (internet of things) devices, more commonly known as “smart devices,” are making a splash in the real estate industry. Building owners can now offer both commercial and residential tenants exciting new amenities, thus giving their properties a competitive advantage in the rental market. Trendy devices such as smart appliances, surveillance systems, digital assistants, environmental controls, leak sensors, and other gadgets can be conveniently controlled from a user’s smartphone. At first, these devices may seem like a no brainer investment for savvy landlords. After all, what could be the harm in offering tenants access to the latest in-home or in-office technology? IoT devices, however, are not entirely harmless and may expose you to unforeseen liability if proper safeguards are not put in place.
How do smart devices work and why does this matter?
Smart devices work by wirelessly connecting to a network and transmitting data over the internet. Knowing this, it’s important to realize that these devices are subject to data breaches just like computers or smartphones. Hackers or malicious malware can target IoT devices to steal sensitive information, and there have already been numerous attacks and data breaches specifically through smart devices over the last few years. In other words, this problem is not theoretical — it is a real, active threat. So what does this mean for building owners who wish to implement (or have already implemented) smart devices in their buildings? Does this mean you should pull the virtual plug and go back to the basics? Not necessarily, you just have to understand the risks at hand in order to adequately protect yourself and your tenants.
Risk number 1: data breaches
Because smart devices gather sensitive data that they transmit through the internet, there is always a risk of breach. Of course, nearly all of these devices have security measures in place to prevent this, but that doesn’t make them impenetrable. We live in an era when malicious AI and adaptive malware can find gaps in even the most secure networks, so no system or IoT device is completely safe from attack (even if they claim to be).
Devices like digital assistants and surveillance systems in particular raise concerns, as they collect especially sensitive information such as a user’s whereabouts or private conversations. This can pose an even greater risk if the device is located in a commercial setting where it can collect confidential business, health care, or financial information. Regardless, the information gathered by these devices, in the hands of bad actors, can create a major breach of privacy at the very least. It’s also worth noting that seemingly harmless devices like leak sensors or smart appliances pose a threat as well, because they too connect to the internet and can create an entry-point for hackers to access other devices connected to that same network.
Risk number 2: consumer privacy legislation
While data breaches present the most obvious concern in regard to smart devices, it’s also important to take consumer privacy laws into consideration. Many tenants who use in-unit smart devices may not understand what surveillance technology is and how to opt out of the processing of their data. It’s important to keep in mind that many individuals lack digital literacy, especially as it pertains to new technology, and as a result are unable to make informed decisions in their best interest.
With the rise of new state privacy laws and potential federal legislation on the horizon, building owners need to ensure that there is adequate transparency built into tenant agreements if choosing to provide IoT devices. Tenants need to be able to make informed decisions about their privacy, and if they are unable to do so, the building owner may be culpable. Without adequate protections in place, building owners put themselves at risk of a lawsuit if they have unknowingly violated consumer privacy legislation, especially in the event of a data breach.
Where to get help
The IoT Security Foundation has a set of best practices for building owners and facility managers. The 2023 “IoT Cybersecurity for Facilities Professionals in the Smart Built Environment” provides risk management recommendations for the installation, acceptance, and maintenance of IoT devices. Furthermore, a fairly comprehensive overview of security risks posed by IoT devices is captured in the Broadband Internet Technical Advisory Group’s “Internet of Things (IoT) Security and Privacy Recommendations”. For building owners focused on energy conservation, including the roll-out of EV charging equipment, the U.S Department of Energy has a “Grid Connected Communities” program with guidance for building owners specific to IoT device security (see Appendix E).
On the horizon for 2024 is a new program proposed by the federal government to push the IoT marketplace to standardize and become more transparent about the level of security built into and supported by IoT devices. In cooperation with manufacturers and retailers, the feds intend to launch a “Cyber Trust Mark” labeling program for smart home devices. The program will have the weight of the National Institute of Standards and Technology to define the state of compliance for IoT devices receiving a Cyber Trust Mark. Compliance is likely to include ever increasing requirements for data security, incident detection capabilities, and corrective actions by device manufacturers. The program will in turn help building owners make better choices about which IoT devices to procure and limit exposure to liability.
Making informed decisions
With new in-home technologies continuously emerging, it’s an exciting time to be in the real estate industry. With that said, it’s important to take the time necessary to thoroughly educate yourself about the risks involved before integrating these technologies into your business. That way, you can put important safeguards in place that allow you and your tenants to reap the benefits of these amazing new advancements.
Smart devices can provide both commercial and residential tenants with a great deal of comfort and convenience, but if you choose to offer them, both data breaches and consumer privacy laws can create potential legal pitfalls for your business. Remember, it’s important to provide adequate information and legal disclosures in order to limit your liability, stay in compliance with consumer privacy regulations, and ensure your tenants’ rights are protected.
Will Sweeney is managing partner of Zaviant, a data privacy consulting firm based in Philadelphia. Mark Wheeler is senior technical consultant with the Federal General Services Administration’s AI and Data Analytics Centers for Excellence and former chief information officer for the City of Philadelphia.
