Photo of Lindsay Brewer

Lindsay Brewer

Lindsay advises clients on environmental, human rights, product safety, and public policy matters.

She counsels clients seeking to set sustainability goals; track their progress on environmental, social, and governance topics; and communicate their achievements to external stakeholders in a manner that mitigates legal risk. She also advises clients seeking to engage with regulators and policymakers on environmental policy. Lindsay has extensive experience advising clients on making environmental disclosures and public marketing claims related to their products and services, including under the FTC’s Green Guides and state consumer protection laws.

Lindsay's legal and regulatory advice spans a range of topics, including climate, air, water, human rights, environmental justice, and product safety and stewardship. She has experience with a wide range of environmental and safety regimes, including the Federal Trade Commission Act, the Clean Air Act, the Consumer Product Safety Act, the Federal Motor Vehicle Safety Standards, and the Occupational Safety and Health Act. Lindsay works with companies of various sizes and across multiple sectors, including technology, energy, financial services, and consumer products.

As 2021 comes to a close, we will be sharing the key legislative and regulatory updates for artificial intelligence (“AI”), the Internet of Things (“IoT”), connected and automated vehicles (“CAVs”), and privacy this month.  Lawmakers introduced a range of proposals to regulate AI, IoT, CAVs, and privacy as well as appropriate funds to study developments in these emerging spaces.  In addition, from developing a consumer labeling program for IoT devices to requiring the manufacturers and operators of CAVs to report crashes, federal agencies have promulgated new rules and issued guidance to promote consumer awareness and safety.  We are providing this year-end round up in four parts.  In this post, we detail IoT updates in Congress, the states, and federal agencies.

Part IV: Internet of Things

This quarter’s IoT-related Congressional and regulatory updates ranged from promoting consumer awareness to bolstering the security of connected devices.  In particular, the Federal Communications Commission (“FCC”) has taken a number of actions to promote the growth of IoT while the National Institute of Standards and Technology (“NIST”) continues to work to fulfill its obligations under President Biden’s May Executive Order on Improving the Nation’s Cybersecurity (“EO”).  The IoT Cybersecurity Improvement Act of 2020 (H.R.1668) additionally tasked NIST with developing security standards and guidelines for the federal government’s IoT devices.  This year NIST put out a number of reports to carry out this mandate, including guidance documents to assist federal agencies with evaluating the security capabilities required in their IoT devices (NIST SP 800-213).
Continue Reading U.S. AI and IoT Legislative Update – Year-End 2021

 As 2021 comes to a close, we will be sharing the key legislative and regulatory updates for artificial intelligence (“AI”), the Internet of Things (“IoT”), connected and automated vehicles (“CAVs”), and privacy this month.  Lawmakers introduced a range of proposals to regulate AI, IoT, CAVs, and privacy as well as appropriate funds to study developments in these emerging spaces.  In addition, from developing a consumer labeling program for IoT devices to requiring the manufacturers and operators of CAVs to report crashes, federal agencies have promulgated new rules and issued guidance to promote consumer awareness and safety.  We are providing this year-end round up in four parts.  In this post, we detail CAV updates in Congress and federal agencies.
Continue Reading U.S. AI and IoT Legislative Update – Year-End 2021

As 2021 comes to a close, we will be sharing the key legislative and regulatory updates for artificial intelligence (“AI”), the Internet of Things (“IoT”), connected and automated vehicles (“CAVs”), and privacy this month.  Lawmakers introduced a range of proposals to regulate AI, IoT, CAVs, and privacy as well as appropriate funds to study developments in these emerging spaces.  In addition, from developing a consumer labeling program for IoT devices to requiring the manufacturers and operators of CAVs to report crashes, federal agencies have promulgated new rules and issued guidance to promote consumer awareness and safety.  We are providing this year-end round up in four parts.  In this post, we detail data privacy updates in Congress and federal agencies.
Continue Reading U.S. AI and IoT Legislative Update – Year-End 2021

As 2021 comes to a close, we will be sharing the key legislative and regulatory updates for artificial intelligence (“AI”), the Internet of Things (“IoT”), connected and automated vehicles (“CAVs”), and privacy this month.  Lawmakers introduced a range of proposals to regulate AI, IoT, CAVs, and privacy as well as appropriate funds to study developments in these emerging spaces.  In addition, from developing a consumer labeling program for IoT devices to requiring the manufacturers and operators of CAVs to report crashes, federal agencies have promulgated new rules and issued guidance to promote consumer awareness and safety.  We are providing this year-end round up in four parts.  In this post, we detail AI updates in Congress, state legislatures, and federal agencies.
Continue Reading U.S. AI and IoT Legislative Update – Year-End 2021

Introduction

In this update, we detail the key legislative developments in the second quarter of 2021 related to artificial intelligence (“AI”), the Internet of Things (“IoT”), connected and automated vehicles (“CAVs”), and federal privacy legislation.  As we recently covered on May 12,  President Biden signed an Executive Order to strengthen the federal government’s ability to respond to and prevent cybersecurity threats, including by removing obstacles to sharing threat information between private sector entities and federal agencies and modernizing federal systems.  On the hill, lawmakers have introduced a number of proposals to regulate AI, IoT, CAVs, and privacy.
Continue Reading U.S. AI, IoT, CAV, and Privacy Legislative Update – Second Quarter 2021

On April 30, 2019, the Department of Health and Human Services (HHS) published in the Federal Register a notification of enforcement discretion indicating that it will lower the annual Civil Money Penalty (CMP) limits for three of the four penalty tiers in the Health Information Technology for Economic and Clinical Health Act (HITECH Act).  The HITECH Act categorizes violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) in four tiers based on the violators’ level of culpability for the violation: the person did not know (and, by exercising reasonable diligence, would not have known) that the person violated the provision (Tier 1); the violation was due to reasonable cause, and not willful neglect (Tier 2); the violation was due to willful neglect that is timely corrected (Tier 3); and the violation was due to willful neglect that is not timely corrected (Tier 4).

The maximum penalty per violation for all four tiers was previously $1.5 million.  HHS’s new policy states that the annual penalty limit for Tier 1 violations has now been decreased from $1.5 million to $25,000.  The new annual penalty limits for Tier 2 and 3 violations are now $100,000 and $250,000, respectively.  The penalty limit for Tier 4 violations will remain at $1.5 million.
Continue Reading HHS Updates Maximum Annual Penalty Limits for Some HIPAA Violations

On Friday, April 19, 2019, the Office for Civil Rights of the U.S. Department of Health and Human Services (HHS) explained in an FAQ the circumstances under which electronic health record (EHR) systems may be subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) liability for an app’s impermissible use or disclosure

Earlier this year, the FTC’s staff released a series of blog posts entitled Stick with Security that updated and expanded upon the prior Start with Security best-practices guide for information security practices.  The Stick with Security series draws from FTC complaints, consent orders, closed investigations, and input from companies around the country to provide deeper insights into the ten principles articulated in the Start with Security guide.  These guidelines serve as a set of minimum recommended standards for “reasonable” data security practices by organizations with access to personal data (i.e. information related to consumers and employees), although they can be applied to other types of data as well.  The recommendations are not legal requirements, of course, but it can be useful for companies to consider the views of the FTC’s staff on the practices that are likely to be seen by the FTC as “reasonable.”  This post summarizes the recommendations made by the FTC’s staff in the Stick with Security series.
Continue Reading Key Information Security Pointers from the FTC’s Stick with Security Guidance