Amazon Echo’s Role in Murder Investigation Shows Vulnerability of Connected World

Security threats to your personal information or corporate systems are everywhere – even from your smart speaker, fitness tracking bracelet or video game console. Any tech device connected to the internet or an external system could be an entryway for hackers.

Many of these devices can also record private conversations that could be revealed in the future, sometimes by court order. Last week, Strafford County Superior Court Presiding Justice Steven M. Houran ordered that Amazon turn over recordings taken from an Echo device as evidence in a New Hampshire double murder case.

Amazon has said it will not release the recordings by the device’s virtual assistant, Alexa, without a binding legal demand, but the decision could set a legal and social precedent for how personal data can be used. While officials in New Hampshire hope that these recordings could help lead to a conviction, the long-term impact on data privacy for smart speakers and other devices could be significant, affecting how consumers and businesses use these tech tools.

“With every connected device you have, there is significant risk that all consumers and organizations can face.” – David Derigiotis, Burns & Wilcox

The New Hampshire investigation is the latest example of the concerns consumers and businesses should have about connected devices, according to David Derigiotis, Certified Information Privacy Professional (CIPP), Corporate Vice President and National Professional Liability Practice Leader, Burns & Wilcox.

“The more connected a business is, the greater the need for securing the technology and all data that flows through it,” said Derigiotis.

“With every connected device you have, there is significant risk that all consumers and organizations face,” Derigiotis said. “There is inherent risk in properly protecting the wealth of data the connected devices accumulate as well as securing the device itself. Just as we are seeing with Amazon, law enforcement may also require access to information should a criminal investigation lead to a warrant supported by probable cause.”

A report in August claimed that Amazon has sold 50 million Echo devices. This would signify significant growth, up from the 5 million to 6 million smart speakers of all makes and models sold in 2016, according to technology research firm Canalys.

“How secure is your smart refrigerator or printer for example? ” – David Derigiotis, Burns & Wilcox

The privacy and security threat, however, is from more than just smart speakers. Connected appliances, security systems and other gadgets in a home or workplace could represent a security weak spot for cyber criminals, Derigiotis said. “Many of these are the newest consumer items that are not made with security in mind. How secure is your smart refrigerator or printer for example? They are made for convenience. These devices provide access into your network and can double as a participant in an army of compromised internet of things (IoT) used to carry out attacks against a target,” he added.

Businesses should have proper Cyber and Privacy coverage

Employers of all sizes should have a Cyber & Privacy Insurance policy to help protect their interests, systems and employees, Derigiotis said. These policies continue to emerge in terms of available resources offered, coverage type and amount.

The enactment of General Data Protection Regulation (GDPR) brought added exposure for any business that targets or collects personally identifiable information on European Union (EU) citizens. Businesses that violate GDPR, even those located in the U.S. and Canada, can be fined up to 4 percent of their worldwide revenue for the most serious violations.

Enacted earlier this year, the California Consumer Privacy Act is perhaps the most stringent regulation so far in the U.S. It will give California consumers control over their personal data starting in 2020.

These regulations are becoming more stringent in the U.S. as cyber and privacy exposure for companies is soaring. In September, Uber was ordered to pay $148 million after a data breach exposed personal information of 57 million of its users. In March, Under Armour admitted that 150 million of its fitness user accounts had been hacked.

That exposure to businesses can come in many ways. IT systems may be compromised based on what high-tech devices employees, clients or guests bring into a workplace—from watches to smart speakers. When these devices access a network, security can be more easily bypassed.

“This is one of the many reasons why employers need to develop a comprehensive mobile device and endpoint security policy that has to be both shared and enforced,” Derigiotis said. “Those policies should provide employees guidance on what they can connect to the corporate network and IT professionals from there should segment access within that network. Not all employees need or should have unrestricted access.”

Those policies should also manage how to deal with employees who may be connecting to a network from home where other connected devices from appliances to TVs are located. “They represent pathways to reach data,” Derigiotis said.

Suggested limits and additional insurance features

Derigiotis recommends that any organization handling data purchases a Cyber and Privacy policy that includes a minimum of $1 million in coverage. Policies with limits up to $1 billion are in the process of being developed by brokers and carriers for some of the largest employers in the world, he added.

A Cyber and Privacy policy will usually cover legal costs associated with defending a case, such as when Amazon or other tech companies have tried to prevent law enforcement officials from accessing conversations recorded by smart devices. These policies also cover other costs associated with data breaches, from typical expenses for investigation and remediation, privacy attorney fees and ransomware demands to emerging risks such as bodily injury and physical damages caused by a cyberattack. This will become a bigger concern as more connected devices enter the consumer market and corporate environment.

Pay close attention to what is being provided in the insuring agreements, especially as more scrutiny is placed on organizations for their privacy and data protection practices, Derigiotis said. One such insuring agreement is Regulatory coverage, which addresses investigations, inquiries or hearings initiated by a governmental, regulatory, law enforcement or statutory body. Another is Business Interruption, which covers the costs associated with the down time an organization experiences that can adversely impact business operations, inventory losses and lost wages.

Consumers need to be educated of potential threats

Amazon tells customers that voice recordings associated with its smart speakers are kept “to improve the accuracy of the results provided to you and to improve our services,” according to its website. So what is recorded in your home by a smart speaker may not stay there.

Voice-activated devices can also be an entry point for hackers to steal an audio file of a person’s voice, said Neil Gurnhill, CEO, Node International, a provider of digital, cyber and technology risk insurance globally. This could allow hackers to gain access to networks and devices where someone’s voice is the primary security deterrent.

“Six of 10 searches using connected devices are done by voice,” Gurnhill said “My youngest children are 3 and 4 years old and they can’t completely read or write yet, but they can use their voices to search on YouTube. The threat is real.”

Homeowners can no longer rely on large entities like governments or agencies – they really need to take the power back,” Gurnhill said. “At the very least they need to be aware of the dangers so they can take whatever steps needed to add protection on their end.”

Along with voice activation, home automation is another industry trend that could expose consumers to security threats, Gurnhill added. While companies such as Samsung are marketing the benefits of a connected home, such technology can lead to cyber and privacy issues.

Most consumers know that their online behavior will result in cookies and other trackers that can target their buying habits. But with data breaches on the rise, even at large financial institutions, prevention can only go so far. In July, the Identity Theft Resource Center said more than 22 million records had been exposed through the first half of the year in the U.S.

“Someday in the near future we may even see a DNA data breach.” – Neil Gurnhill, Node International

Complicating the issue is that smart devices themselves may be the cause of a breach, even without a third party illegally trying to access it. This happened earlier this year with a Portland, Oregon couple whose Amazon smart speaker mistakenly heard a series of requests and commands while the couple was talking at home. The recorded conversation was ultimately shared with one of the husband’s co-workers in Seattle.

“Someday in the near future we may even see a DNA data breach,” Gurnhill said. “There’s really no limit to what data can be stolen.”

As with any coverage need, an insurance broker or agent must be consulted. Click here to forward this article to your insurance broker or agent to ask if you need this coverage, or share this with clients to start the conversation and ensure proper protection.

This information was provided by Burns & Wilcox, North America’s leading wholesale insurance broker and underwriting manager. Burns & Wilcox works exclusively with retail insurance brokers and agents to assist clients like you with their specialty insurance needs. Ask your insurance broker or agent to review yourCyber and Privacy coverage or any other related policies to ensure you have proper protection.