U.S., U.K., and E.U. Regulators Turn Focus to IoT
The “Internet of Things” (IoT)—the network of consumer devices connected to the Internet through digital connections and sensors—has dramatically grown over the past five years. A McKinsey analysis estimated that the potential annual economic impact of IoT in 2025 could be between $4 trillion and $11 trillion, with value accruing in manufacturing, urban spaces, human wellness, retail, autonomous vehicles, homes, and other sectors. An analysis by Gartner, Inc. estimated that in 2018, nearly 11.2 billion connected things will be in use globally, and that this figure will surpass 20 billion by 2020.
IoT already has global reach. Nearly one-third of the overall installed IoT base is located outside China, North America, and Western Europe. And although IoT use will continue to grow in commerce and industry, more than 63% of IoT-connected units are already available on the consumer market. Some “smart” consumer products—such as fitness monitors, wearable devices, smart thermostats, and smart TVs—are well-established. In the coming years, connected devices will continue to expand in other categories, including kitchen appliances, toys, and medical devices, among many others.
With the tremendous economic and social impact of connected products, systems, and devices comes a more intensive focus on the legal risks of misuse, defects, and malfunctions. IoT has the potential to make products and services safer (in such diverse areas as consumer products, railroads and food), to reduce workplace hazards, and to improve patient safety and reduce preventable errors in hospitals. Connections to the internet, however, also can introduce new vulnerabilities in the consumer market and in infrastructure, if not properly secured. Manufacturers, retailers, consumers, and regulators are increasingly focused on the consumer safety, security, and privacy implications of connected products.
Three recent events further propelled IoT safety, security, and privacy into the regulatory spotlight, all occurring in the first three months of 2018:
Cybersecurity firm Avast demonstrated that vulnerable Internet-connected devices could be commandeered by hackers and used to “mine” (generate) cryptocurrency. The firm estimated that 15,000 connected devices, if commandeered, could yield $1,000 every four days.
Cybersecurity firm ZingBox released a report shedding light on vulnerabilities in the healthcare context, particularly in hospitals. Among security issues, the company estimated that “user practice issues” (poor security practices) made up 41% of security threats; outdated operating systems and other software made up 33% of threats, with other vulnerabilities (including weak passwords) also playing a significant role. The report estimated that imaging systems and patient monitors were most vulnerable. The good news is that vulnerabilities in connected medical devices can be mitigated; the report advises healthcare providers to focus on “real-time visibility into device deployment and inventory” and enforce appropriate-use policies to “greatly reduce the exposure to rogue applications and lateral movement of infection.”
In January, VTech Electronics Ltd.—which makes “electronic learning products” aimed at children between zero and nine years old—settled a complaintbrought by the Federal Trade Commission. The FTC alleged, among other things, that the company violated the Children’s Online Privacy Protection Act (COPPA) by “collecting personal information from children without providing direct notice and obtaining their parent’s consent, and failing to take reasonable steps to secure the data it collected,” which led to a November 2015 hack in which the hacker penetrated the company’s computer network “by exploiting commonly known and reasonably foreseeable vulnerabilities” and stole personal information about children and parents.
How have regulators reacted to these new issues? In the first few months of 2018, comments from authorities in the U.S. and Europe show more attention being paid to IoT than ever before:
In her keynote address at the annual meeting of the International Consumer Product Health and Safety Organization (ICPHSO) in February, Consumer Product Safety Commission Acting Chairman Ann Marie Buerkle said that the CPSC has jurisdictional authority over IoT vulnerabilities that create a risk of physical harm, but not IoT vulnerabilities that are limited to privacy or information security alone. The CPSC also plans to hold a public meeting on IoT in May.
As reported last week in another Covington Internet of Things Update, the U.K. government in March released a white-paper report, Secure by Design, Improving the Cyber Security of Consumer Internet of Things Report, on consumer IoT. The report proposes an industry “Code of Practice for Security in Consumer IoT Products and Associated Services,” which the U.K. government aims to finalize by summer 2018. The report identifies 13 specific points of guidance for industry, and names the top three priorities as (1) requiring all IoT devices to have unique passwords that are “not resettable to any universal factory default value”; (2) requiring companies to “provide a public point of contact as part of a vulnerability disclosure policy in order that security researchers and others are able to report issues” and to timely respond to known vulnerabilities; and (3) promoting timely security software updates and publishing clear “end-of-life” policies informing consumers of the time when security support for a given device will end.
Last September, the European Commission proposed a Regulation on Cybersecurity that would introduce a voluntary cybersecurity certification framework to be overseen by the E.U.’s Agency for Network and Information Security (ENISA). The proposed Regulation establishes the primacy of European cybersecurity certification schemes over E.U. Member State schemes. Under the proposal, adopted European cybersecurity certification schemes would supersede all existing parallel EU Member State schemes for the same information and communication technology products or services at a given level of assurance. This would bring further clarity, reducing the current proliferation of overlapping and possibly conflicting national cybersecurity certification schemes. The proposal provides that the E.U. schemes would be voluntary (once a product voluntarily complies with a scheme, Member States would accept it as compliant). However, in practice the schemes could become mandatory E.U. standards. The European Parliament and Council must now consider the proposed Regulation for adoption and may introduce significant amendments. The proposed Regulation could enter into force by late 2019.
Connected devices have been on the radar of the U.S. Federal Trade Commission since at least 2013, when it held an IoT workshop, but the FTC has shown little appetite for regulation to date. FTC Acting Chairman Maureen Ohlhausen said last year that the IoT industry should adopt voluntary best practices, with the FTC taking a more reactive, rather than proactive role, intervening only if a “harm manifests.” This approach echoes the software industry’s pushback against regulation. The head of a major software trade association recently argued that the industry should be left to develop autonomously, with “enforcement actions only in cases where there is actual, concrete harm.” Consumer advocates, meanwhile, have pushed the FTC for greater action on IoT privacy.
2018 is shaping up to be a pivotal year in IoT regulation. Interested stakeholders—whether manufacturer, supplier, or end-user—should keep a close eye on new legal and regulatory developments. Covington’s Internet of Things Blog posts will continue to monitor developments and report on future key consultations, analysis and insights here.