The U.S. government is moving quickly on developing cybersecurity and privacy polices for the Internet of Things (“IoT”) industry that will, among other things, directly affect how IoT equipment will be required to be manufactured and marketed in the U.S. Noting that “start-ups building IoT technologies and interfaces for the first time may focus primarily on getting an product to market without considering how to protect and secure computer networks and data,” the U.S Department of Commerce (“DoC”) is crafting a broad “National Strategy on IoT,” of which cybersecurity and privacy policies are major components. DoC is offering IoT stakeholders the opportunity to submit comments that will shape government-sanctioned IoT cybersecurity and privacy guidelines. Comments are due on or before February 27, 2017.
Specifically, DoC is seeking comments on the preliminary findings in its recently published “green paper”which summarized the comments it received in response to its April 2016 Request for Public Comment. Well over 100 IoT stakeholders submitted comments for the green paper, but certain issues remain unsettled, particularly in the areas of cybersecurity and privacy.
Cybersecurity
Noting that the highly networked nature of IoT creates a large number of attack surfaces that can be hacked and exploited, DoC seeks comment on a number of issues, including:
1. What types of best practice security guidelines, if any, should be required for different IoT entities,
e.g., manufacturers, integrators, developers, distributors, and operators?
2. To what extent should encryption and/or access and control measures be mandated?
3. Whether a voluntary, flexible security framework could be implemented that accounts for a
company’s products, business models and assets; or should a mandatory “one size fits all”
structure be required?
4. Should IoT equipment manufacturers be required to implement “security by design”
practices, in which risk assessment is made during the product design phase for each
component and security testing be completed according to mandated guidelines before
the product is marketed?
5. What type of authentication tools should be required of IoT equipment manufacturers?
6. Should manufacturers of connected devices be required to include “patching”
capabilities on all their devices in order to mitigate their devices’ known security flaws?
7. Should IoT manufacturers be held liable for security breaches, and how long should such
liability last after a device has been marketed?
8. What are the technical limitations on the various types of IoT devices that could result in
reduced cybersecurity requirements for a given device, and if so, which entities in the
IoT ecosystem should be responsible for security?
Privacy
Commenting that consumer trust and ensuring the privacy of users is an extremely important issue affecting the growth of the IoT industry, DoC requests comment on the unique privacy challenges presented by IoT, and appropriate responses to those challenges, including:
1. Whether a “privacy by design” approach should be implemented, and if so, what types of
privacy enhancing technologies should be implemented in IoT devices before they are marketed?
2. Should new privacy regulations be implemented, or are current laws and regulations,
such as the Federal Trade Commission’s prohibitions on unfair and deceptive trade
practices and sector-specific legislation such as the Children’s Online Privacy Protection Act,
sufficient to deal with IoT privacy challenges?
3. How should challenges to consumer notice and consent be dealt with in the IoT world?
4. Should a single federal policy of data breach notification be implemented, to replace the
current patchwork of laws and regulations?
5. How should data ownership issues be addressed? Should data be protected over the
lifetime of a consumer device?
6. Should privacy and data protection policies be IoT-specific, or be flexible enough to
account for new technologies?
Participation is Key to Avoiding Unnecessary Burdens on Your Company
While DoC seeks comments on a number of issues affecting IoT, it acknowledges that cybersecurity and privacy are the two subjects that are garnering the most interest in the IoT industry as a whole. Many IoT stakeholders that have competing interests have already commented on which entities should be responsible for cybersecurity and privacy, and the requirements that should be imposed on other entities. Now is your chance to make your position known on these vital matters. If the government does not hear your concerns, you may end up saddled with a plethora of government regulations that will add significantly to your cost of doing business and legal liability.
Any stakeholder that wishes to influence how IoT regulations will be implemented should consider participating in this proceeding.
The CommLaw Group has been following this proceeding very closely. We have IoT specialists that are available to answer any questions you may have. We have also published a Comprehensive Guide to Compliance with FCC and FTC Privacy Regulations that is an invaluable resource for IoT and telecommunications firms that are subject to privacy requirements.
IoT Attorney Ronald E. Quirk Jr., is a Senior Managing Attorney at Marashlian & Donahue PLLC, The CommLaw Group, where he focuses his practice on federal, state and international telecommunications regulation and policy, with a particular expertise in assisting clients in navigating the complex labyrinths of RF equipment authorization and enforcement processes around the world. His career has spanned more than 20 years, including several years at AMLAW 100 firms and the FCC. He can be reached at req@commlawgroup.com or (703) 714-1305.