Pending IoT Legislation Would Impose Significant Obligations on Manufacturers
With the House and Senate returning to Washington in September, two recently-introduced Senate bills seek to address perceived vulnerabilities in the security of Internet of Things (IoT) devices sold to the federal government and medical devices which regularly connect to the Internet.
Among the key takeaways in the legislation:
Legislation covers both products sold to the federal government and medical devices;
Legislation addresses “life of device” obligations of IoT device manufacturers;
Disclosure and Certification Requirements could create additional liability for manufacturers of Internet of Things devices.
First, Senators Mark Warner, Cory Gardner, Ron Wyden and Steve Daines introduced the “Internet of Things Cybersecurity Improvement Act of 2017” in August to address concerns that IoT devices procured by the federal government may lack basic cybersecurity protections. Noting that there will likely be more than 20 billion IoT devices by 2020, the legislation will require manufacturers to make certain commitments and provide disclosures regarding their products both during and after the federal procurement process.
Specifically, the proposed legislation requires vendors to certify that the IoT devices being sold to the federal government do not contain any known vulnerabilities; rely on standard protocols; do not have hard-coded passwords; and are patchable. The legislation creates limited exceptions for agencies to use when their preferred devices are unable to meet these standards, so long as the standards which are adopted by the agencies ensure an equal or greater level of security. The legislation also requires that OMB prepare a report after five years summarizing the effectiveness of the legislation and suggesting any recommended revisions.
Additionally, Senator Richard Blumenthal introduced legislation before the August recess targeting medical devices which incorporate Internet connectivity. Acknowledging that medical devices contain a wealth of confidential patient information, the legislation requires the creation of a “cyber report card” which would provide the public with information regarding the device’s cyber capabilities, information from testing and risk assessments and provide the user with information to use the device in a secure manner.
The legislation also requires the manufacturer to provide future security patches and updates free of charge, and establish guidelines for the recycling/disposal of devices (and the data contained therein) at the end of the device’s life. Finally, the legislation tasks the Department of Homeland Security to work with other government agencies, manufacturers, healthcare providers, and patients to investigate and respond to cybersecurity incidents.
Several other legislative proposals have been introduced during this year’s Congress to address IoT, telemedicine and cybersecurity issues. It is likely that these proposals will need to be combined into comprehensive legislation if any of these efforts will be successful. However, the prospects of anything passing this year are uncertain, and the specific protections and obligations will likely change before any bill that advances actually becomes law.