September 16, 2019

September 16, 2019

Subscribe to Latest Legal News and Analysis

FTC Submits Comments on IoT Security

The Federal Trade Commission (FTC) submitted public comments to the US Department of Commerce’s National Telecommunications and Information Administration (NTIA) in connection with the NTIA’s draft guidance on improving the security of Internet of Things (IoT) devices. The FTC’s comments focus on ensuring that manufacturers better inform consumers about security updates.

The FTC suggests in the public comments that consumers would benefit, prior to purchasing an IoT device, from clear information about the device manufacturer’s support period. In particular, the FTC suggests that manufacturers should disclose a minimum support period with a clear start date or, preferably, a clear end date. With such advance disclosure about the support period, consumers would be better equipped to compare devices. In addition, the FTC suggests that manufacturers should disclose if an IoT device will stop working or become highly vulnerable to attack after the support period ends—especially where consumers would expect that a similar “dumb” device (such as a refrigerator or toaster) would have a longer, safer lifespan even after support has lapsed.

Additionally, the FTC suggests that manufacturers should consider using a uniform notification method to inform consumers about security updates. A notice on a device’s screen or in the notification center of a device-related app are examples of easily accessible ways for consumers to receive such notifications. Consumers are oftentimes unaware that security updates are available or needed, so effective notifications are a critical component in the maintenance of IoT device security. The FTC also suggests that, at the point of sale of an IoT device, manufacturers could offer consumers the option to sign up for affirmative notifications related to security support, including when the support period is about to end.

Lastly, the FTC takes issue with the NTIA’s suggestion that IoT device manufacturers inform consumers about the update process and how the manufacturer secures updates—arguing that this information is of little benefit to consumers and risks being technically arcane and therefore difficult for consumers to understand. Moreover, the FTC suggests that if such information is combined with what the FTC views as more important information about security updates, consumers may balk at the volume and level of technical detail and skip reading the information altogether.

Copyright © 2019 by Morgan, Lewis & Bockius LLP. All Rights Reserved.

TRENDING LEGAL ANALYSIS


About this Author

Emily Lowe, Corporate finance Attorney, Morgan Lewis
Of Counsel

Emily R. Lowe represents clients in commercial transactions, with a focus on the acquisition, use, protection, development, and commercialization of technology and biotechnology. Emily helps domestic and international companies commercialize their products through various commercial vehicles, including manufacturing and supply agreements and distribution strategies, and development and licensing agreements.

412.560.7438
Katherine B. O'Keefe, Morgan Lewis, Technology Lawyer
Associate

Katherine B. O’Keefe is part of a team that handles critical commercial transactions that enable our clients to run their business operations effectively. The team is focused on technology transactions, including licensing, services, and alliance deals that involve emerging technologies such as cloud computing, software as a service (SaaS), and data analytics. Our technology, outsourcing, and commercial transactions lawyers assist clients in managing their online presence, from website development, hosting, and maintenance; to privacy and use policies; to data breach and retention issues.

215-963-5564