Federal Agencies Focus on Risks, Guidance for Internet of Things

Businesses and consumers are increasingly using Internet of Things (“IoT”) devices to communicate and process quantities and types of information that have never before been captured.  In response, more federal agencies are turning their attention to the potential risks, and developing guidance for the deployment of IoT technologies.  The latest to weigh in on risks include the Governmental Accountability Office and the Department of Commerce.

The Government Accountability Office (“GAO”) conducted a study, reviewing key reports and literature and convening expert meetings, identifying key challenges related to the rapid emergence of IoT technology entitled “Internet of Things: Status and implications of an increasingly connected world.”  The GAO May 2017 report highlights information security, privacy, safety, standards, and economic issues.  The report included concerns about cyberattacks, particularly for smart technology in automobiles and medical devices that could be hacked, endangering the health and safety of the users.  It also acknowledged the potential for IoT devices to collect information about individuals without their knowledge or consent, and the potential downstream use or sale of that data.  Ten federal agencies and twelve experts reviewed the report to provide technical comments prior to its publication.

The Department of Commerce’s National Telecommunications and Information Administration (“NTIA”) created a working group focused on the creation of draft IoT guidance for device manufactures to increase the number of products on the market with improved security.  The draft guidance was issued in April of this year, and has been the subject of comments by stakeholders in the working group, including other federal entities.  In its June 19th public comments submitted to the working group, the FTC addressed key elements for manufactures to convey to consumers that will better inform purchases and use of devices.  The Commission focused on security updates and suggested that manufactures disclose how long consumers could expect security support for a product, and whether the device will lose basic functionality when that support comes to an end. The FTC also focused on concerns about how consumers would learn about security updates and how they would be notified of when security support was no longer provided. The FTC’s comments provide consumers and entities alike with suggestions on how to improve IoT experience and safety.

The working group’s next meeting will be on July 18, 2017.