Sep 262018

Developing IoT Policy from California to Washington, D.C.

Colleen Theresa Brown and Gabrielle Whitehall
, , , , ,

The growing network of internet of things (IoT) devices is expected to reach 30 billion devices by 2020. Despite this tremendous growth, the state of IoT regulation is patchwork at best. Although the FTC is the primary security regulator for consumer IoT devices, there are no comprehensive regulations or laws specific to the unique challenges of the IoT market. This absence of clear and unambiguous standards can be a burden for IoT companies who are looking to innovate while maintaining their customers’ privacy. 

NIST initiatives in IoT

To help offer consistent guidance regarding the privacy and security of IoT devices, the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) recently launched a collaborative project to develop a voluntary privacy framework to help organizations manage risk in IoT devices. On October 16, 2018, in conjunction with the International Association of Privacy Professionals’ Privacy, NIST will begin holding a series of public workshops to collect input from stakeholders. These workshops seek to develop practical tools and recommendations to support continued U.S. innovation, while ensuring stronger privacy protections.

California Legislature Takes Aim at IoT Privacy Regulations

Months after passing the sweeping California Consumer Privacy Act of 2018 (“CCPA”), the California legislature once again is proposing potentially significant privacy and security requirements. As the summer closed, the legislature passed companion bills (CA AB 1906 and CA SB 327) that are intended to regulate the security of connected devices.  If signed by Governor Brown, the legislation would go into effect on the same day as the CCPA, January 1, 2020.

The requirements contained in the companion bills are additive to any duties or obligations imposed under other laws, including the CCPA.  A connected device, as defined in the bills, is any device or other physical object that is capable of connecting to the Internet, directly or indirectly, and that is assigned an Internet Protocol address or a Bluetooth address. Given this broad definition, it could apply to any device that is capable of connecting to the Internet or to another device, including cell phones, toys, computers, and almost certainly most smart home devices.

The bills require manufacturers of connected devices to equip the devices with “reasonable security features” that are:

  • appropriate to the nature and function of the device;
  • appropriate to the information it may collect, contain, or transmit; and
  • designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.

Subject to the requirements above, if a connected device is equipped with a means for authentication outside a local area network, this is considered a “reasonable security feature” if either:

  • the preprogrammed password is unique to each device manufactured; or
  • the device contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time.

Notably, medical devices and other items subject to federal standards would be exempt from the bill. The bills do not provide a separate specific private right of action, but the bill provides for enforcement by the Attorney General, a city attorney, a county counsel, or a district attorney. The bills also do not address civil penalties or remedies that may result from enforcement. However, it is possible that the requirement to implement reasonable security measures could be used to establish a legal duty in data breach cases and other privacy claims, even when enforced by consumers.  As with other emerging privacy laws, this could lead to an increase in privacy litigation perhaps well beyond California.

*Update: Gov. Brown signed the new California IoT bill into law on September 28, 2018.

 

Colleen Theresa Brown

Washington, D.C.

cbrown@sidley.com

Gabrielle Whitehall

gwhitehall@sidley.com

You might also like
UK Sets Out It’s “Pro-Innovation” Approach To AI Regulation

On 29 March 2023, the UK’s Department for Science Innovation and Technology (“DSIT”) published its long awaited White Paper on its “pro-innovation approach to AI regulation” (the “White Paper”), along with a corresponding impact assessment. The White Paper builds on the “proportionate, light touch and forward-looking” approach to AI regulation set out in the policy paper published in July 2022. Importantly, the UK has decided to take a different approach to regulating AI compared to the EU, opting for a decentralised sector-specific approach, with no new legislation expected at this time. Instead, the UK will regulate AI primarily through sector-specific, principles based guidance and existing laws, with an emphasis on an agile and innovation-friendly approach. This is in significant contrast to the EU’s proposed AI Act which is a standalone piece of horizontal legislation regulating all AI systems, irrespective of industry.

EU Moving Closer to an AI Act – Key Areas of Impact for Life Sciences/MedTech Companies

The European Union is moving closer to adopting the first major legislation to horizontally regulate artificial intelligence. Today, the European Parliament (Parliament) reached a provisional agreement on its internal position on the draft Artificial Intelligence Regulation (AI Act). The text will be adopted by Parliament committees in the coming weeks and by the Parliament plenary in June. The plenary adoption will trigger the next legislative step of trilogue negotiations with the European Council to agree on a final text. Once adopted, according to the text, the AI Act will become applicable 24 months after its entry into force (or 36 months according to the Council’s position), which is currently expected in the second half of 2025, at the earliest.

New EU Cyber Law for the Financial Services Industry with Significant Impact on ICT Service Providers

The new EU Regulation on Digital Operational Resilience for the Financial Sector (DORA) recently entered into force. DORA establishes cybersecurity requirements for information and communication technology (ICT) systems supporting the business processes of financial entities and represents a paradigm shift for the ICT sector.  Critical ICT third-party service providers, who are providing services to regulated financial entities, will also be directly regulated under DORA and subject to regulatory supervision by a regulator to be established under DORA (a so-called ‘Lead Overseer’).