Securing Internet of Things (IoT) Devices that Interact with Personal Information

Internet of things (IoT) devices are exponentially growing in adoption across multiple industries. While IoT devices control critical components of daily life, many still lack basic security protections. This research paper surveys the scientific and trade literature on the regulatory and security considerations for IoT device implementors that broker personal data. The General Data Protection Regulation (GDPR), Health Insurance Portability and Accountability Act (HIPAA), and California Consumer Privacy Act (CCPA) provide regulatory mandates for personal data. IoT device implementors that interact with personal data must safeguard the data or face the consequences, including fines and potential jail time. IoT devices remain a tempting target for adversaries due to weaknesses in their architecture and design. IoT implementors must reconsider traditional methods to protect IoT devices, including network segmentation and virtual private networks, as identity is the new perimeter. Innovation is outpacing regulatory mandates as global position system (GPS) sensors add location into IoT data streams and big data to reconstruct anonymized data back to a person. IoT implementers are challenged by inconsistency across economic areas about the definition of personal data. This paper proposed basic IoT security architecture guidelines that help IoT implementors broker personal data to remain compliant with regulatory mandates and keep the device secure.