IoT and Data Ownership: Your Device your Data?

Greater openness across IoT data ecosystems will result in a broader range of services being offered to end users.

Who owns IoT data? It’s a question at the heart of the modern data economy. At its most fundamental, and from a legal standpoint, data can only be owned once they are gathered into a database or platform. “As a thumb rule, whoever owns the title to the data processing platform owns the data,” says Somjit Amrit, country head at AM Technologies. But just as important as outright ownership are data privacy, security, and subject data rights and access. Data ownership can play out very differently in individual applications, while there are also broad distinctions across consumer and commercial use cases. Meanwhile, in instances where equipment is leased, data ownership will typically be determined by a contractual clause.

Different Types of Data

Types of data matter too: personal data is a special case, especially since the introduction of the European Union’s General Data Protection Regulation (GDPR) in 2018, which granted individuals robust data rights, including portability and the right to deletion. The situation is made more complex by techniques such as data anonymization, de-identification, or aggregation, whereby an organization may want to store and use data in a form untraceable to individuals. However such approaches are controversial, given that it has been demonstrated that in some cases “anonymized” data can be traced to an individual using just a handful of data points.

The next stage will be when we get to a way that you can assign a real value to data in the context of an organization.
_{Fedelma Good, PwC Data Protection Strategy Tea}

Given that an IoT ecosystem will often have multiple stakeholders, including manufacturers, end users, third party solutions providers, and even the public sector, often the situation can best be characterized as “give and take” says Amrit. “Data could be owned by the owner of the data processing platform, but it could be shared with the ecosystem in exchange of discounts, incentives, or the price to be paid for curating he raw data into processed and usable data to generate insights,” he says. As data become more valuable, organizations are having to invest more in the asset, as well as facing increased scrutiny from the public and regulators. But it wasn’t always this way. When computing power was emerging among corporations, many companies saw data as a poor relation to hardware and software, which were considered to be the tangible assets, observes Fedelma Good, a director in PwC UK’s Data Protection Strategy, Law, and Compliance Services team. But that is changing, she believes, as elements of the GDPR, especially transparency and accountability, force companies to be more circumspect about how they gather and store data, while incurring greater costs to ensure compliance. “The [next stage] will be when we get to a way that you can assign a real value to data in the context of an organization. And we have it to a certain extent already in good will. I still think that what is missing is an element about the quality of the assets and the lifespan of the asset, which becomes even more important with GDPR,” she says.

Conflicts of Interest: IoT and Data Ownership

Just as fundamental as questions about ownership are questions about access. The classic example is of an IoT device – say a construction machine or a car – that generates large volumes of data, but within a closed ecosystem which only the manufacturer can access to deliver services such as telematics. That means any third-party solutions providers may have to install additional hardware if they want to provide services. This situation is especially acute in commercial operations where a company runs a large vehicle or machinery fleet with multiple brands. In some cases they will be forced to rely on multiple telematics systems or use additional hardware in order to view their fleet data via a single ERP. Those in the industry note that the interests of original equipment manufacturers (OEMs) and purchasers are often not aligned: the OEM wants to maintain a closed ecosystem where they alone can provide services, while the owner wants freedom to choose their service providers Closed ecosystems point to the importance to OEMs of maintaining long-term relationships with equipment buyers, especially given the revenue and profits generated by maintenance and spare parts. It’s also a way for OEMs to differentiate their product, says Lasse Paakkola, managing director at Aplicom, a telematics device manufacturer and developer. “When products get more similar, the only thing that differentiates them is services, and for telematics these are an important platform for providing customer satisfaction.

When products get more similar, the only thing that differentiates them is services.
_{Lasse Paakkola, Aplicom}

“Even then, the line between what constitutes an open or closed eco-system may be blurry. Take the example of heavy commercial vehicles, where in Europe most comply with the Fleet Management Standard (FMS), an open system. But in order to access onboard data a fleet owner may have to purchase a gateway that can cost as much as €500 per vehicle, which may be more expensive than simply installing additional third party sensors to use in a telematics system, notes Paakkola.

Hendrik Nieweg, VP of Solutions at Device Insight, an IoT specialist, sees numerous reasons why OEMs may want to use closed systems, including retaining control over the platform to offer services to end users, and ensuring that the services offered are high quality. A significant reason too is the huge investments that companies must make in developing data platforms, and the potential additional costs that could come from making systems open. The fear is that if the systems were entirely open it would allow startups or other players to profit by offering their own services, leaving manufacturers unable to recoup their costs.

The trend is toward greater openness, though there is significant variation between industries.
_{Hendrik Nieweg, Device Insigh}

Nevertheless, the overall trend is toward greater openness, though there is significant variation between industries. Within the agricultural sector, where the typical use case is a machine using an implement from a different manufacturer, the industry has developed open data standards, says Nieweg. Contrastingly, the construction equipment market is largely comprised of closed ecosystems, though that may change in the future, with organizations such as the Mechanical Engineering Industry Association (VDMA) in Germany in the process of developing global standards for worksite interoperability.

The automotive sector has become increasingly open over the last five years, says Dr. Ben Miners, chief innovation scientist at IMS, part of Trak Global Group, which offers telematics and insurance products.

Onboard data is becoming more available and more standardized.
_{Dr. Ben Miners, Trak Global Group}

He notes that for a company like IMS, being able to deliver solutions to a full fleet requires a range of technical approaches, including normalizing onboard data and installation of additional hardware. But onboard data is becoming more available and more standardized. In the longer term, there may also be demand from governments to use telemetry data to price transportation or roads costs, he says. “This is primarily driven by governments, and so may actually drive standardization faster than privately driven fleet and insurance programs,” says Miners. Nevertheless, even greater openness doesn’t entirely remove the need for the use of additional hardware, for example in the case of older vehicles, or for applications such as insurance where more precise data can be received by using fitted sensors, he notes.

IoT and Data Ownership: Off-Board Data Access

The development of neutral servers may also herald an era of greater openness in the automotive data market, ultimately resulting in enhanced services for drivers. High Mobility, a neutral server and data marketplace based in Germany, allows third-party applications to source vehicle data via an application programming interface (API), allowing off-board data access to the extended vehicle interfaces (ExVe) of the OEM. It currently has contracts with Mercedes-Benz, MINI and BMW, but plans to add an additional three to five OEMs by the end of 2020, says Manuel Scheibel, the company’s director of sales and business development.

For most auto-makers, working with neutral servers is a question of technical maturity.
_{Manuel Scheibel, High Mobility}

Charging for data access brings revenue to car companies: in most cases automakers are open to working with neutral servers, it’s just a question of technical maturity rather than fearing an open data marketplace, he says. As they add additional brands, meaning wider coverage of the total vehicle fleet, he’s expecting they will see a marked increase in clients, and believes API access will also open up the industry to a broader group of companies, resulting in new products and services for end users. “Already we are seeing that companies which have no experience with car data are interested now that it’s possible to digitally retrieve data via a single API. Of course it will be even more usable when there are more OEMs on board,” says Scheibel.

Insuring Databases

Cyber Insurance

In Fight Club, a popular movie from 1999, the protagonist uses explosives to destroy bank records in a bid to erase records of debt, an attack that would have been devastating for business. These days the threat is no longer fictional, but is more likely to come via a cyberattack. In the United States, a handful of medical clinics have seen their databases – including patient records – deleted as consequence of ransomware attacks. In one case, two elderly doctors decided to speed up their retirement after their clinic had all its files deleted. This is the realm where cyber insurance could make a difference – whether to provide specialist help in the case of a ransomware attack or hack, or to pay out to a company for data and software reconstruction and business interruption costs. Yet while cyber risk insurance is one of the fastest-growing areas in the insurance market, it’s also one of the most complex. It suffers from a lack of reliable data due to the newness of the field and the rapidly evolving set of threats that companies face, explain Steve Whelan and Eduard Alpin of Verisk, a data analytics and risk assessment company. Limited past events and a plethora of “unknown unknowns” is bad news for a sector that relies on data to make predictions about future events and price that risk accordingly. Insurers are pricing their premiums to make the sector attractive from their standpoint, but also pricing in that uncertainty.

 

The worst-case scenario would be some kind of mass event affecting many of their clients at the same time. The means most cyber insurers will cap or limit their exposure to very large companies, building towers with different layers of coverage. And while a Fortune 100 company may be able to obtain coverage from multiple insurers, it’s unlikely a company will be able to receive multi-billion dollar coverage commensurate with potential losses if they were to suffer a devastating attack that destroyed their database. “There’s been a challenge for a lot of these Fortune 100 companies where they can’t get enough cyber insurance limit,” explains Alpin.

That means that frontline defenses, cloud backups, and secure backups of those backups are the order of the day to protect data and databases.

READ MORE ARTICLES