The Internet of Things:

“You Ain’t Seen Nothin’ Yet”

By Ignatius A. Grande | Mark E. Michels

October 2014

The Internet of Things:

“You Ain’t Seen Nothin’ Yet”1

In recent years, discovery professionals have had to come to grips with diverse forms of

electronically stored information (“ESI”) generated from a variety of new technologies,

including mobile devices, the cloud, and social media. They have had to deal with these diverse

forms of ESI while at the same time deal with an exploding volume of data from traditional

sources such as organizational email and data repositories. Yet, when it comes to the Internet of

Things (“IoT”) and the data challenges discovery professionals will likely face in the coming

years, Randy Bachman’s 1974 observation, “You Ain’t Seen Nothin’ Yet2,” was right on.

What is The Internet of Things

Although the idea of the “Internet of Things” (“IoT”) may have emerged as early as

19993, the concept has taken on some broad connotations. “The improved cost performance of

computing, storage, and bandwidth has enabled devices of all kinds—including smartphones,

wearables, appliances, medical equipment, and vehicles—to connect with the Internet and each

other to create, share, and analyze information, all without human intervention.”4

IoT has been defined as “the network of physical objects accessed through the Internet…

These objects contain embedded technology to interact with internal states or the external

environment.5” The IoT concept “involves connecting machines, facilities, fleets, networks, and

even people to sensors and controls; feeding sensor data into advanced analytics applications and

1 Ignatius A. Grande, Hughes Hubbard and Reed, LLP and Mark E. Michels, Deloitte Transactions and Business

Analytics, LLP.

2 http://en.wikipedia.org/wiki/You_Ain't_Seen_Nothing_Yet_(Bachman-Turner_Overdrive_song)

3 RFID Journal, That ‘Internet of Things’ Thing, June 22, 2009 http://www.rfidjournal.com/articles/view?4986

4 Deloitte, The Internet of Things Ecosystem

http://www.deloitte.com/view/en_US/us/Industries/technology/fae342b71ffa6410VgnVCM2000003356f70aRCRD.h

tm?id=us:2el:3fu:ioteco:awa:tmt:062014

5 Cisco, The Internet of Things, http://www.cisco.com/web/solutions/trends/iot/overview.html

The Internet of Things: “You Ain’t Seen Nothin’ Yet | 2

Ignatius A. Grande and Mark E. Michels

predictive algorithms.”6 “In a single day, we will leave digital fingerprints not only through the

devices we carry, but also every object or establishment we interact with will possess metadata

about our movements and decisions.”7

Examples of these Internet-connected “things” include smart phones, smart watches,

activity trackers, health and fitness trackers, seat sensors, thermostats, road sensors, and smart

keys or security systems for consumers. Internet-connected things also can link “manufacturing

floors, energy grids, healthcare facilities, and transportation systems–to the Internet.”8

Furthermore, [w]hen an object can represent itself digitally, it can be controlled from anywhere.

This connectivity means more data, gathered from more places...”9 IoT business opportunities

are so compelling that, according to the Economist, almost 75 percent of executives surveyed by

the Economist Intelligence Unit were exploring or adopting some form of IoT solution.10 In fact,

Cisco estimates that the 10 billion IoT devices that existed in 2010 will balloon to more than 50

billion devices by the year 2020.11

IoT, with its massive, disparate, transitory data--located within companies and within

third party providers—is expected to present significant challenges to discovery professionals.

However, case law and rules put in place over the past decade should provide practitioners with a

framework for providing practical and proactive advice and to address IoT data demands in

future litigation and disputes.

6 Deloitte, Signals for Strategists, The Internet of Things http://dupress.com/articles/the-internet-of-things/

7 Michele Lange, JD Supra Business Advisor, How the ‘Internet of Things’ Will Impact Discovery, March 6, 2014

http://www.jdsupra.com/legalnews/how-the-internet-of-things-will-impact-12960/

8 Cisco, The Internet of Things http://www.cisco.com/web/solutions/trends/iot/overview.html

9 Id.

10 The Economist, The Internet of things Business Index, October 29, 2013

http://www.economistinsights.com/analysis/internet-things-business-index

11 Dave Evans, Cisco IBSG, The Internet of Things: How the Next Evolution of the Internet Is Changing Everything

April 2011 http://www.cisco.com/web/about/ac79/docs/innov/IoT_IBSG_0411FINAL.pdf

The Internet of Things: “You Ain’t Seen Nothin’ Yet | 3

Ignatius A. Grande and Mark E. Michels

IoT Uses and Potential Uses

Individuals are already using and accessing numerous sensors and transmitters that

connect to the Internet in some way. Smart phones with their geolocation capabilities provide

users (and potentially others) with information about restaurants, stores and entertainment in

their vicinity. The smart phones’ geolocation services are also integral to the phone’s navigation

functions. Some navigation services on GPS devices or navigation applications transmit traffic

congestion data back to the phone or GPS device in order to provide alternative route

recommendations.

The activity trackers and sleep trackers that many individuals wear, collect information

and send it to the internet, and based upon that information, these devices end up providing

useful information related to the wearer’s health and well-being. Smart watches reportedly have

an ability to track data (heart rate and body temperature) which reflect the wearer’s relaxation

level.12 Implants or stamp-sized silicone sensors have not yet taken hold, but the technology is

available to enable these nearly invisible devices to transmit information about a number of

health conditions, including one’s temperature, muscle activity, or heart rate.13 Internetconnected

cameras and sensors in the home provide the homeowner with convenience and

security. Thermostats with sensors communicate with other devices in the home and with the

homeowner to monitor and manage temperature. TVs may track usage patterns and ad watching

patterns and transmit such information via wireless connection.14 Sensors in refrigerators may

notify consumers when they are out of out of milk by transmitting a signal to the person’s smart

12 Stan Shroeder, Mashable, Asus ZenWatch: A Fancy Smartwatch That Measures Your Relaxation Levels September 3, 2014.

http://mashable.com/2014/09/03/asus-zenwatch/?utm_cid=mash-com-Tw-main-link

13 Tim De Chant, Nova Next, In Ten Years, You Won’t Even Know You’re Wearing Them, June 18, 2014.

http://www.pbs.org/wgbh/nova/next/tech/wearable-health-sensors/

14 Internet of Things Privacy Summit Blog, 59% of U.S. Internet Users Know Smart Devices Can Collect Information About Their

Personal Activities, May 30, 2014 http://www.truste.com/events/iot/2014/05/59-of-u-s-internet-users-know-smartdevices-

can-collect-information-about-their-personal-activities/

The Internet of Things: “You Ain’t Seen Nothin’ Yet | 4

Ignatius A. Grande and Mark E. Michels

device that will, in turn, sense when an individual is near a grocery store and generate an alert to

suggest purchasing milk.15 In addition to these consumer applications, IoT business applications

abound. Among them are automobile telematics (telecommunications and informatics),

healthcare and industrial controls.

The insurance industry now offers usage based insurance (“UBI”) which use automobile

sensor data (which the automobile transmits back to the insurer’s data repository) to establish

customer insurance premiums. For those who purchase UBI policies the automobile is equipped

with devices which “measure a number of elements of interest to underwriters: miles driven;

time of day; where the vehicle is driven (GPS); rapid acceleration; hard breaking; hard cornering;

and air bag deployment.”16 With such data the insurer can undertake an analysis of the data and

price an insurance premium aligned with the individual’s actual driving patterns.17 For example,

“a driver who drives long distance at high speed will be charged a higher rate than a driver who

drives short distances at slower speeds.”18

Automobile sensors also can report data back to fleet managers or manufacturers which

indicate the need for repair or maintenance. One company has developed a service where vehicle

sensors transmit data to a monitoring center which indicates that the automobile had an accident,

which enables operators to dispatch emergency responders.19A very popular use case for

Internet-connected sensors is delivering remote healthcare. Sensors placed in the home, on the

individual and in medical testing devices can transmit data back to the medical professional to

15John Kuhn Medill, McClatchy DC, With ‘Internet of Things,’ your fridge will know when milk is low, May 23, 2014,

http://www.mcclatchydc.com/2014/05/23/228307/with-internet-of-things-your-fridge.html#storylink=cpy

16 National Association of Insurance Commissioners, Usage-Based Insurance and Telematics, 7/18/2014

http://www.naic.org/cipr_topics/topic_usage_based_insurance.htm

17 The U.S. Government Accountability Office (GAO) undertook an extensive study on in-car location-based services

and some privacy implications: http://www.gao.gov/products/GAO-14-81

18 Id.

19 Cnet, AAA to offer customers In-Drive Emergency Response Telematics, August 15, 2011 http://www.cnet.com/news/aaa-tooffer-

customers-in-drive-emergency-response-telematics/

The Internet of Things: “You Ain’t Seen Nothin’ Yet | 5

Ignatius A. Grande and Mark E. Michels

identify treatment needs or other medical issues. With an aging population these medical “smart

homes” may help individuals remain in their home and delay or avoid the emotional and

financial costs of moving into an assisted living facility.20

Sensors placed in industrial control systems, such as supervisory control and data

acquisition (“SCADA”) systems, provide capabilities to manage power grids and pipelines.

These sensors can monitor the hardware and systems and provide real-time reports to operators.

Analysts also can evaluate compiled historical data to provide insight into longer-term equipment

operation and maintenance experience. For example, sensors placed in petroleum processing and

transport equipment can automatically send alerts to central technicians to allow remote

troubleshooting and problem resolution.21

These are just a few of the emerging IoT developments. Dr. Richard Mark Soley, the

Executive Director of the Industrial Internet Consortium, views the industrial Internet as a third

major revolution preceded by (1) the industrial revolution and (2) the Internet revolution.22 A

broad ecosystem will need to emerge to enable this Industrial Internet revolution. Indeed, one

finding of an IoT workshop conducted with the MIT Media Lab concluded that, “[t]o realize the

expected impact and potential market for IoT, providers will have to work together within the

IoT provider ecosystem of infrastructure, hardware, software, and other vendors to develop

solutions that have greater potential to drive significant business value for enterprises.”23

20 See, Wall Street Journal, CIO Journal, Using Sensor Technology to Lower Elder Care Costs, July 28, 2014.

http://deloitte.wsj.com/cio/2014/07/28/using-sensor-technology-to-lower-elder-care-costs/

21 Deloitte, The Internet of Things Ecosystem,

http://www.deloitte.com/view/en_US/us/Industries/technology/fae342b71ffa6410VgnVCM2000003356f70aRCRD.h

tm?id=us:2el:3fu:ioteco:awa:tmt:062014

22 See, The Industrial Internet: A Sence of the Future, September 15, 2014 http://www.industrialinternetconsortium.org/tx-

14/presentations/Soley_Opening_Keynote-9-15-14.pdf

23 Deloitte, The Internet of Things Ecosystem,

http://www.deloitte.com/view/en_US/us/Industries/technology/fae342b71ffa6410VgnVCM2000003356f70aRCRD.h

tm?id=us:2el:3fu:ioteco:awa:tmt:062014

The Internet of Things: “You Ain’t Seen Nothin’ Yet | 6

Ignatius A. Grande and Mark E. Michels

IoT in Litigation and E-Discovery

As the number and variety of IoT devices rapidly increase in coming years and the

volume of data created by such devices increases, IoT is expected to have a great impact on the

practice of e-discovery and the challenges and risks that companies and individuals will face.

The Federal Rules of Civil Procedure seem to be well suited to adapt to this revolution.

The Committee Notes to the 2006 Amendments to the Federal Rules note that, “[t]he wide

variety of computer systems currently in use, and the rapidity of technological change, counsel

against a limiting or precise definition of electronically stored information.”24 In addition, the

Notes state that Rule 34(a)(1) “includes any type of information that is stored

electronically…[including]… information "stored in any medium," to encompass future

developments in computer technology.25 Rule 34(a)(1) is intended to be broad enough to cover

all current types of computer-based information, and flexible enough to encompass future

changes and developments.

Companies that store data from IoT devices, whether they are corporations or technology

companies will need to properly maintain such data in ways that do not violate privacy rights of

individuals whose data is being collected. TRENDnet, a company that produces wireless

cameras that beam live and motion-captured video to users' laptops or phones, learned this lesson

the hard way. The Federal Trade Commission recently penalized TRENDnet for its lax security

practices after a hacker in January 2012 exploited a security flaw and posted links to the live

feeds, which “displayed babies asleep in their cribs, young children playing and adults going

about their daily lives.”26 TRENDnet agreed to sanctions that include a 20-year security-

24 Federal Rules of Civil Procedure, Rule 34 Advisory Committee Notes to 2006 Amendments

25 Id.

26 In the Matter of TRENDnet, Inc., FTC File No. 122 3090 (Sept. 4, 2013) (Complaint ¶ 10).

The Internet of Things: “You Ain’t Seen Nothin’ Yet | 7

Ignatius A. Grande and Mark E. Michels

compliance auditing program.27 TRENDnet may be the first IoT company that was ill-prepared

to manage the privacy challenges of the IoT industry, but they will not be the last company to

run into issues managing IoT data.

The next television that you purchase will likely be a “smart TV” that connects to the

internet. This technology is also experiencing some of the dangers of the Internet of Things, as

it appears that certain technologies that have made this possible also allow for hackers to

takeover apps on the TV or even launch attacks across the Internet. There are even indications

that in certain scenarios, the hacker could log in and post messages to the homeowner’s social

network, such as Facebook, on the person's behalf. “Smart fridges, garage doors, car

entertainment systems and electricity meters are all examples of new technology that all benefit

from Internet connectivity, but the extension of technology in this way also brings the possibility

of more cyber-attacks.”28

In addition, parties in future years will need to be cognizant of case law developments on

custody, possession and control, with regard to how that concept will be applied to the Internet of

Things. The questions of who has possession, custody, and control in this age of the internet of

things will be complicated by issues of cost, burden, access, privacy and contractual issues.

Especially since the location of IoT data will not always be obvious and the ownership of such

data may also not be clear, the issues that courts will face in determining what data is within a

party’s possession, custody and control, will be complex.

It is only a matter of time until there will be regular demands for IoT data in civil

litigation, criminal investigations, and regulatory matters. Imagine search warrants for sensor

27 In the Matter of TRENDnet, Inc., FTC File No. 122 3090 (Sept. 4, 2013) (Consent Order).

28Doug Drinkwater, SC Magazine, Alarm bells ring for Internet of Things after smart TV hack, June 10, 2014 (quoting David

Emm, senior security researcher at Kaspersky Lab) http://www.scmagazineuk.com/alarm-bells-ring-for-internet-ofthings-

after-smart-tv-hack/article/354900/

The Internet of Things: “You Ain’t Seen Nothin’ Yet | 8

Ignatius A. Grande and Mark E. Michels

location data, demands for biometric data from activity and health monitors in personal injury

matters, or requests for automobile sensor data in defect class-actions. Employment actions could

be decided by location sensors or seat sensors that confirm when someone was working at their

desk. IoT devices have the potential to eventually track everything that individuals are doing at

home and at work and to track various corporate operations. The potential uses of IoT devices

are endless when almost every device can be connected to the internet. While we are still in the

nascent stages of the IoT age, our courts have put in place a framework that should quickly adapt

to address IoT technologies. In recent years, courts have extended preservation and discovery

obligations to encompass social media content, text messages, and data stored on the cloud.

Social media content is also a form of data that has developed quickly and is not viewed

in the same light as email or written correspondence by some people. In Lester v. Allied

Concrete,29 the Court found that social media data should be treated like any other electronically

stored information when it comes to preservation obligations. In Lester v. Allied Concrete,

Plaintiff filed suit for wrongful death of his late wife and for his personal injuries, including

mental anguish. During the litigation, the defendant in the case requested that the plaintiff

produce information and pictures from his Facebook page, including a photo of Plaintiff holding

a beer can and wearing a shirt stating, “I love hot moms.” Following this discovery request,

Plaintiff’s attorney directed him to “clean up” his Facebook page because “[w]e don’t want any

blow-ups of this stuff at trial.” Plaintiff then deactivated his Facebook page. However,

Defendant had already seen the damaging photos and had downloaded some photos from

Plaintiff’s Facebook site. Due to Plaintiff’s actions, Defendant incurred significant legal and

expert fees in addressing Plaintiff’s conduct and seeking to recover the pictures.

29 Lester v. Allied Concrete Co., Nos. CL.08-150, CL09-223 (Va. Cir. Ct. Sept. 1, 2011).

The Internet of Things: “You Ain’t Seen Nothin’ Yet | 9

Ignatius A. Grande and Mark E. Michels

The Court found that an attorney directing a client to delete social media content subject

to a legal hold was no different than an attorney directing a client to delete emails or other

electronic data. The Court granted Defendant’s motion for sanctions and awarded over

$700,000 in fees and costs.

Courts have also made it clear that text messages are subject to a party’s preservation

obligations. The defendant in In re Pradaxa30 was sanctioned $931,500 for, among other things,

failing to preserve and produce employees' text messages. The Court in this case stated that

“[t]he basis for their argument seems to be… that the production of text messages is too

burdensome….It is certainly common knowledge that texting has become the preferred means of

communication.” Since text messages are not often preserved on a company’s server, it is vitally

important to proactively seek to preserve such data when it is subject to a legal hold.

In Brown v. Tellermate,31 the Court made it clear that a party to a litigation cannot plead

ignorance when it comes to data that is maintained and stored in the cloud by a third party

provider. In this case, the data at issue was not from IoT devices although if it were, the holding

would likely have been the same. The data at issue here was maintained in a third-party, webbased

customer relationship management (“CRM”) application that records sales employees'

interactions with customers and potential customers.

Plaintiffs had requested certain data from the CRM system, but Tellermate claimed that it

did not maintain the CRM information and could not “print out accurate historical records.”

Tellermate’s counsel represented that Tellermate was “contractually prohibited from providing

30 In re Pradaxa (Dabigatran Etexilate) Prods. Liability Litig., No. 12-md-2385, 2013 WL 6486921, at *17, *20 (S.D. Ill. Dec.

9, 2013); see also Small v. University Medical Center of Southern Nevada, 2014 WL 4079507 (D. Nev. 2014)

31 Brown v. Tellermate, No. 2:11-cv-1122 (S.D. Ohio July 1, 2014)

The Internet of Things: “You Ain’t Seen Nothin’ Yet | 10

Ignatius A. Grande and Mark E. Michels

the CRM information -- including information Tellermate inputs into it -- to third parties.”32 As it

turned out, this proved to be false. The contract between the CRM solution provider and

Tellermate made clear that Tellermate owned and controlled the information that had been

inputted into the application by Tellermate employees.

Not only did the Court find that Tellermate misrepresented facts regarding the availability

of data in the CRM tool, it found that Tellermate failed to properly preserve data that was

maintained in the application. There were no snapshots or copies made of the data on the CRM

system at the key point in time. Testimony demonstrated that Tellermate employees had the

ability to go into the tool and update, or in some instances overwrite, information regarding

customer contacts. At the time the litigation commenced, Tellermate did not take any steps to

preserve or export a snapshot of the data as it existed at that time.

Due to Tellermate not taking steps to preserve the CRM data, the Court took the extreme

step of precluding Tellermate from “using any evidence which would tend to show that the

[Plaintiffs] were terminated for performance-related reasons.33” Additionally, the Court ordered

Tellermate to pay Plaintiffs’ attorneys’ fees and costs in connection with moving to compel

discovery.34 Brown v. Tellermate and other preservation cases like it have important

ramifications for companies to keep in mind when implementing or using IoT solutions.

Parties did not anticipate preserving data in the more novel forms that they were being

created in the cases set forth above. Not asking the right questions and taking the right steps

came back to haunt the parties accused of spoliating in the cases above. Attorneys and

companies will be presented with many challenges as IoT technologies take hold in our world.

32 Id.

33 Id.

34 Id.

The Internet of Things: “You Ain’t Seen Nothin’ Yet | 11

Ignatius A. Grande and Mark E. Michels

It is going to be crucial for in-house counsel and outside counsel to find out when IoT

technologies are being rolled out by their company and what kinds of data the devices are

tracking or storing, where such data is maintained and how they will be able to export or freeze

portions of that data in response to future legal holds that are put in place. When putting in place

legal holds, in-house counsel and outside counsel should be sure to ask the right questions of IT

departments and others at corporations in order to determine what if any IoT devices may be

used that might be producing information that is relevant to a given litigation or investigation.

It is not too early for discovery and forensic professionals to begin asking these questions of

clients and to anticipate the impact of the Internet of Things on their practice.

In the IoT world, it will not always be clear when IoT data may be potentially relevant

and the location of the data that is being collected by IoT devices may not always be known.

Also, the data that may be created by IoT devices may not always be cleanly preserved or

collected from a third party. It may be that IoT data for a given case may be combined with

other data being collected and it might be very costly to preserve or extract any potentially

relevant data.

Related IoT Issues

The United States Federal Trade Commission hosted an “Internet of Things” workshop

focusing primarily on consumer privacy issues in November 2013.35 Similarly, the European

35 Federal Trade Commission, Internet of Things Workshop Transcript, November 19, 2013

http://www.ftc.gov/sites/default/files/documents/public_events/internet-things-privacy-security-connectedworld/

final_transcript.pdf

The Internet of Things: “You Ain’t Seen Nothin’ Yet | 12

Ignatius A. Grande and Mark E. Michels

Union Article 29 advisory body on data protection and privacy recently issued an opinion on

data protection risks in the IoT ecosystem.36

Securing data in these massive networks also raises significant concerns regarding

potential data breaches and cyber-attacks. In fact, there are reports that one of the first proven

cyber-attacks on consumer IoT devices occurred earlier this year.37Additionally, IoT moves the

“Big Data” needle even bigger. Accordingly, implementing Information Governance strictures

and process around these IoT data repositories should be even more compelling than it is now.

Conclusion

Like many of the technology developments in recent years, IoT will transform the way

we live and work. Litigation, disputes, and investigations will continue and discovery

practitioners should be prepared to address the complex issues associated with IoT data in the

years to come.

This publication contains general information only and Deloitte and Hughes Hubbard are not, by means of this publication, rendering accounting,

business, financial, investment, legal, tax, or other professional advice or services. This publication is not a substitute for such professional advice or

services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that

may affect your business, you should consult a qualified professional advisor. Neither Deloitte nor Hughes Hubbard shall be responsible for any loss

sustained by any person who relies on this publication. As a non-legal service provider, Deloitte’s discovery services are provided under the direction

and supervision of its client’s legal counsel.

Hughes Hubbard means Hughes Hubbard & Reed LLP. Deloitte means Deloitte Financial Advisory Services LLP and its affiliate, Deloitte Transactions

and Business Analytics LLP. Deloitte Transactions and Business Analytics LLP is not a certified public accounting firm. Please see

www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available

to attest clients under the rules and regulations of public accounting.

36 See, European Union, Article 29 Working Party, Opinion 8/2014 on Recent Developments on the Internet of Things.

http://ec.europa.eu/justice/data-protection/article-29/documentation/opinionrecommendation/

files/2014/wp223_en.pdf

37 Proofpoint, Proofpoint Uncovers Internet of Things (IoT) Cyberattack

http://investors.proofpoint.com/releasedetail.cfm?ReleaseID=819799