Home Internet of Things Aerospace Apparel Energy Defense Health Care Logistics Manufacturing Retail

The Intersection of IoT and Smart Business

How can companies utilize Internet of Things solutions while avoiding the pitfalls associated with such technologies?
By Linda Rhodes and Charles King III

Recommendations for Contracting
Developing a complete IoT solution can be a difficult endeavor that requires multiple vendors to provide an array of products and services, such as sensors, data storage, data networks, data ingestion, data cleansing and aggregation, and data analytics. The various products are unlikely to be designed to work together, and each of the multiple vendors would prefer to bear as little as possible of the risk of the overall solution while having as much access to the data as possible. This arrangement leads to various potential failure points throughout the IoT system and makes for a complex contracting scheme. But there are contractual approaches and provisions that can mitigate risk.

Conducting due diligence on potential IoT providers is a good start for contracting—in fact, the FTC recommends it. Due diligence should include legal and security inquiries, in addition to technical, operational and other forms of diligence. By conducting diligence, companies can ensure that each vendor's product or service offering can be integrated into the larger IoT solution. Companies can also identify "red flags" that disqualify a vendor from the selection process (e.g., poor financial health, legal concerns or substandard security measures).

Companies should also strive for detailed security and audit provisions in vendor contracts. Notably, the FTC has brought enforcement actions against companies for failure to reasonably oversee the security practices of their service providers—in part due to a lack of security-related contract provisions. Recommended contract provisions will vary depending on each IoT solution, but could include requirements such as compliance with privacy laws and industry standards, audit rights, penetration testing, vulnerability scans, restrictions on system access and data breach notification.

Vendor contracts should assign rights to IoT data. Companies, in particular, should also carefully consider whether it is appropriate to restrict usage rights for vendors that have access to company data. As noted above, there may be numerous vendors that have access to the data as it flows from the device into networks and eventually to the company. Many of those vendors may be able to monetize the data in ways that do not adversely affect the company. For example, vendors may want to use a company's IoT data in order to create industry reports and form insights into their business, which may be acceptable so long as the vendor aggregates and anonymizes the data. But even then, if analyzed closely, that information may reveal a company's identity or provide business advantages to a competitor.

Currency and maintenance of the IoT devices are also major contracting issues. Vendors often update their devices and service offerings. This can cause operational problems for an IoT solution that relies on several different vendors' devices and services. For example, if a vendor updates its IoT sensors, the integrated data-analysis software may require corresponding updates to ensure proper operation of the system, and if the updates require physical access to the IoT devices, updates could be costly to implement. To address this risk, vendor contracts should clearly define maintenance requirements and ensure that IoT systems will be supported over time. It may also be useful to build in substantial notice periods before vendors can make changes that would reduce functionality of the system.

This is by no means an exhaustive list of issues that should be addressed in IoT contracts. Instead, we are intending to provide a context that companies can use to develop their own IoT contracting principles. The common theme is that IoT solutions are often complex and require multiple vendors. Digital management strategies should account for this complexity in order to increase the likelihood of successful IoT initiatives.

Linda Rhodes is a partner in Mayer Brown's Washington, D.C., office and a member of the Technology Transactions practice. Linda has extensive experience representing clients in hundreds of matters in technology transactions, including digital transformation (such as cloud computing, automation and AI), data analytics and rights, software development and licensing, and business process and IT outsourcing. Linda has been ranked as a leading lawyer in Chambers & Partners USA: Technology & Outsourcing, Washington, DC (2010-2019). Charles King III is an associate in Mayer Brown's Technology Transactions practice in the Chicago office. Charles focuses his practice on business process outsourcing, data center leasing, and technology transactions related to cloud services and software licensing.

Login and post your comment!

Not a member?

Signup for an account now to access all of the features of RFIDJournal.com!

Case Studies Features Best Practices How-Tos
Live Events Virtual Events Webinars
Simply enter a question for our experts.
RFID Journal LIVE! RFID in Health Care LIVE! LatAm LIVE! Brasil LIVE! Europe RFID Connect Virtual Events RFID Journal Awards Webinars Presentations