FTC Staff Submits Comment to CPSC on Potential IoT Safety Hazards
The Consumer Product Safety Commission (CPSC) held a public hearing on May 16, 2018 on the potential safety risks and hazards related to connected consumer products and requested comments on the topic by June 15.The CPSC noted in its request for comments that its remit does not extend to the risks associated with personal data security and privacy. The event ended with a call for interested parties to also address issues raised at the hearing. On June 15, staff of the Federal Trade Commission's (FTC) Bureau of Consumer Protection (BCP) submitted a comment that reiterated the FTC's expertise and jurisdiction over IoT information privacy and security issues. The FTC comments also noted that IoT products could pose both physical hazards, such as burns and chemical exposure, as well as technological hazards "associated with the loss of critical safety function, loss of connectivity, or degradation of data integrity," saying that the CPSC could play a helpful role in mitigating these risks.
The BCP staff comment focused on three aspects for the CPSC to consider in evaluating its role: What are some best practices for predicting and mitigating against safety hazards? How can the CPSC encourage consumers to register for safety alerts and recall information? What is the appropriate role of government in IoT security?
BCP staff suggested that the CPSC consider the following in assessing a possible regulatory approach to IoT:
- Consider how companies might provide consumers with the opportunity to sign up for communications regarding safety notifications and recalls for IoT devices;
- To the extent the CPSC considers regulating IoT devices, CPSC's approach should be technology-neutral and sufficiently flexible to avoid becoming obsolete as technology changes;
- To the extent that the CPSC considers certification requirements for IoT devices, the CPSC should consider requiring manufacturers to publicly set forth the standard to which they adhere to improve transparency and provide consumers with better information with which to assess the safety and security of their devices.
Staff also reiterated FTC guidance to IoT companies on how to predict and mitigate against information privacy and security risks.In evaluating risk, the FTC notes that "there is no "onesize fits all" approach to securing IoT devices. Reasonable security will depend on a variety of factors including the magnitude of potential risks, the likelihood of such risks, and theavailability of low-cost tools to address the risks." These comments recognize that mandatory standards and certifications risk freezing technology and undermining a sound risk-based approach.
As we stated previously, it is important for all agencies to keep abreast of technology and safety issues related to IoT products. Since the FTC and other agencies have years of expertise and jurisdiction over privacy and data security, it will be important for agencies to coordinate and collaborate, focusing on their respective areas of expertise. The FTC is the lead agency on information security. It makes sense for the CPSC to focus on situations where connected product security flaws implicate physical safety in the operation of the product rather than information privacy and security questions.