Jul 142017

Federal Agencies Focus on Risks, Guidance for Internet of Things

Colleen Theresa Brown and Michaelene E. Hanley
, , , ,

Businesses and consumers are increasingly using Internet of Things (“IoT”) devices to communicate and process quantities and types of information that have never before been captured.  In response, more federal agencies are turning their attention to the potential risks, and developing guidance for the deployment of IoT technologies.  The latest to weigh in on risks include the Governmental Accountability Office and the Department of Commerce.

The Government Accountability Office (“GAO”) conducted a study, reviewing key reports and literature and convening expert meetings, identifying key challenges related to the rapid emergence of IoT technology entitled “Internet of Things: Status and implications of an increasingly connected world.”  The GAO May 2017 report highlights information security, privacy, safety, standards, and economic issues.  The report included concerns about cyberattacks, particularly for smart technology in automobiles and medical devices that could be hacked, endangering the health and safety of the users.  It also acknowledged the potential for IoT devices to collect information about individuals without their knowledge or consent, and the potential downstream use or sale of that data.  Ten federal agencies and twelve experts reviewed the report to provide technical comments prior to its publication.

The Department of Commerce’s National Telecommunications and Information Administration (“NTIA”) created a working group focused on the creation of draft IoT guidance for device manufactures to increase the number of products on the market with improved security.  The draft guidance was issued in April of this year, and has been the subject of comments by stakeholders in the working group, including other federal entities.  In its June 19th public comments submitted to the working group, the FTC addressed key elements for manufactures to convey to consumers that will better inform purchases and use of devices.  The Commission focused on security updates and suggested that manufactures disclose how long consumers could expect security support for a product, and whether the device will lose basic functionality when that support comes to an end. The FTC also focused on concerns about how consumers would learn about security updates and how they would be notified of when security support was no longer provided. The FTC’s comments provide consumers and entities alike with suggestions on how to improve IoT experience and safety.

The working group’s next meeting will be on July 18, 2017.

Colleen Theresa Brown

Washington, D.C.

cbrown@sidley.com

Michaelene E. Hanley

mhanley@sidley.com

You might also like
FCC Proposes Updated Data Breach Reporting Requirements, Comment Period Ongoing

On January 6, 2023, the Federal Communications Commission (the Commission) released a unanimously adopted Notice of Proposed Rulemaking, “In the Matter of Data Breach Reporting Requirements” (Proposed Rule).  The Commission sought comments through February 22, 2023 on the Proposed Rule which will update its current data breach reporting rule. Reply comments are due on or before March 24, 2023.

U.S. Employers Need to Reconsider Use of Confidentiality and Nondisparagement Provisions in Light of New NLRB Decision

Employers frequently seek to include confidentiality and nondisparagement provisions in severance agreements provided to departing employees. Last week, the U.S. National Labor Relations Board (NLRB or Board) significantly altered the legal landscape governing such provisions, making it much more difficult for unionized and nonunionized employers alike to use them for nonsupervisory employees without running afoul of the National Labor Relations Act (NLRA). The decision is likely to be appealed, and we will issue updates as they become appropriate. In the interim, however, it is critically important for employers to understand the implications of the decision (see below) and to adjust their use of these provisions to limit their risk.

New FTC Guidance for Mobile Health Apps

Healthcare providers, health plans, and technology companies that use mobile health apps to access, collect, share, use, or maintain information related to an individual’s health should take note of the recently issued Federal Trade Commission (FTC) Mobile Health App Interactive Tool. The purpose of the tool is to help mobile health developers determine the federal regulatory, privacy, and security laws and regulations that may apply to the use of a consumer’s health information, such as information related to diagnosis, treatment, fitness, wellness, or addiction. While the tool should not be considered legal advice and cannot guarantee compliance with legal requirements, it can help healthcare providers, health plans, and technology companies issue-spot to manage risk in this heavily regulated space.