July 16, 2018

July 13, 2018

Subscribe to Latest Legal News and Analysis

Cybersecurity Update - August 10, 2017

As connected products are increasingly integrated into everyday life, measures to address the security of Internet of Things (IoT) devices continue to evolve. Some of the latest initiatives include the following.

NTIA issues guidance on cybersecurity communications

Last month, as part of an ongoing multi-stakeholder initiative, a working group of the National Telecommunications and Information Administration (NTIA) issued guidance to help IoT manufacturers more effectively communicate cybersecurity and privacy information to consumers. The working group considered guidance from other agencies, including the Federal Trade Commission and Department of Homeland Security, nonprofits, and industry.

The NTIA document, Communicating IoT Device Security Update Capability to Improve Transparency for Consumers, focuses on “key elements” for manufacturers to consider communicating to consumers prior to purchase, which are crucial for transparency and informed choice. They include informing consumers upfront whether their devices will receive security updates, how updates will be communicated (e.g., will they update automatically?), and when updates will end. NTIA also recommends addressing how users are notified about security updates; what happens when a device no longer receives update support; how the manufacturer secures updates; any costs for consumers to keep their devices current once updates end; and when or whether a device ceases to operate or loses functionality when security support ends, or whether users bear the risk of operating the device once security updates end.

The guidance emphasizes that updates and patches do not offer complete device protection and are not the sole security measures that IoT manufacturers and consumers should take. Thus, while the guidance provides a useful roadmap for IoT manufacturers, companies may wish to consider advising on additional security practices and policies that apply to the device and prudent steps for consumers to take to maintain device security, such as password management. The recent focus on communicating about IoT updates and patches appears to stem from the recognition that IoT devices are powered by software, and that software is updated and replaced, sometimes frequently.

Internet of Things (IoT) Cybersecurity Improvement Act of 2017

On August 1, Senate Cybersecurity Caucus co-chairs Mark Warner (D-VA) and Cory Gardner (R-CO) introduced a bill to provide minimum cybersecurity operational standards for connected products purchased by federal agencies. Per Senator Gardner, the Internet of Things (IoT) Cybersecurity Improvement Act of 2017 would “ensure the federal government leads by example and purchases devices that meet basic requirements to prevent hackers from penetrating our government systems.” The bill would require agencies to include a clause in procurement contracts requiring suppliers of connected products to meet basic industry-wide cybersecurity standards. Suppliers would be obliged to provide written certification that devices do not contain any known security vulnerabilities or defects, and allow for patching of security updates. In addition, connected devices would be prohibited from including hard-coded passwords, which can provide a back door for malware.

Although this bill would apply only to connected products purchased by the federal government, federal procurement standards are often mirrored by state procurement officials and can find their way into other specifications as well.

ANSI introduces first independent cybersecurity standard

Another development affecting cybersecurity of connected products is the finalization of the first independent standard for IoT device cybersecurity. The American National Standards Institute (ANSI) introduced UL 2900-1, General Requirements for Software Cybersecurity for Network-Connectable Products, on July 5. Developed as part of UL’s Cybersecurity Assurance Program, the UL 2900 series applies established security design principles to measurable criteria to assess vulnerabilities of connected products. UL 2900 has been recognized by the Food and Drug Administration, which is expected to formally announce its adoption in the next Federal Register notice.

As cybersecurity standards, guidelines, and proposed regulations for IoT devices proliferate, it is important to remember that the specific security measures adopted must be relevant to the type of information collected by a particular IoT device, including the potential sensitivity of that data.

© 2018 Keller and Heckman LLP


About this Author

Sheila Millar, Keller Heckman, advertising lawyer, privacy attorney

Sheila A. Millar counsels corporate and association clients on advertising, privacy, product safety, and other public policy and regulatory compliance issues.

Ms. Millar advises clients on an array of advertising and marketing issues.  She represents clients in legislative, rulemaking and self-regulatory actions, advises on claims, and assists in developing and evaluating substantiation for claims. She also has extensive experience in privacy, data security and cybersecurity matters.  She helps clients develop website and app privacy policies,...

Tracy Marshall, Keller Heckman, regulatory attorney, for-profit company lawyer

Tracy Marshall joined Keller and Heckman in 2002. She assists clients with a range of business and regulatory matters.

In the business and transactional area, Ms. Marshall advises for-profit and non-profit clients on corporate organization, operations, and governance matters, and assists clients with structuring and negotiating a variety of transactions, including purchase and sale, marketing, outsourcing, and e-commerce agreements.

In the privacy, data security, and advertising areas, she helps clients comply with privacy, data security, and consumer protection laws, including laws governing telemarketing and commercial e-mail messages, contests and sweepstakes, endorsements and testimonials, marketing to children, and data breach notification. Ms. Marshall also helps clients establish best practices for collecting, storing, sharing, and disposing of data, and manage outsourcing arrangements and transborder data flows. In addition, she assists with drafting and implementing internal privacy, data security, and breach notification policies, as well as public privacy policies and website terms and conditions. 

Nathan Cardon, Keller Heckman, product safety attorney, labor lawyer, consumer protection law, cybersecurity matters

Nathan Cardon joined Keller and Heckman in 2013.  Mr. Cardon practices in the areas of product safety, privacy, and advertising.

In his product safety practice, Mr. Cardon counsels clients on risk management and product safety strategies, as well as on compliance with Consumer Product Safety Commission (CPSC) requirements, including new requirements under the Consumer Product Safety Improvement Act of 2008 (CPSIA). 

In the privacy and advertising practice, Mr. Cardon is involved in a wide variety of privacy, data...