Internet of Things (IoT)

Earlier this month the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) released its Draft NISTIR 8267, Security Review of Consumer Home Internet of Things (IoT) Products, for public comment. NIST will accept public comments on the report through November 1, 2019.
Continue Reading IoT Update: NIST Seeks Public Comment on Security Review of Smart Home IoT Devices

On October 22, 2019, the Federal Trade Commission reached a proposed settlement with the developer of three so-called “stalking” apps that enabled purchasers of the app to secretly monitor the mobile devices on which they were installed.  Developer Retina-X Studios, LLC and its owner James N. Johns marketed the three apps—MobileSpy, PhoneSheriff, and TeenShield—as a means to monitor children and employees by sharing detailed information about these individuals’ smart phone activities, including their text messages and GPS locations.  The FTC complaint alleges that the developer failed to ensure that the apps would be used for legitimate and lawful purposes, did not secure personal information collected from children and other users, and misrepresented the extent to which that information would be kept confidential.

While the FTC settlement represents its first case against developers of tracking apps, the complaint’s allegations rely on provisions of the FTC Act that are broadly applicable to companies that collect, store, and/or monitor users’ personal information, as well as the Children’s Online Privacy Protection Act (“COPPA”): 
Continue Reading FTC Reaches Settlement with Developer of Tracking Apps

On April 8, 2019, the EU High-Level Expert Group on Artificial Intelligence (the “AI HLEG”) published its “Ethics Guidelines for Trustworthy AI” (the “guidance”).  This follows a stakeholder consultation on its draft guidelines published in December 2018 (the “draft guidance”) (see our previous blog post for more information on the draft guidance).  The guidance retains many of the same core elements of the draft guidance, but provides a more streamlined conceptual framework and elaborates further on some of the more nuanced aspects, such as on interaction with existing legislation and reconciling the tension between competing ethical requirements.

According to the European Commission’s Communication accompanying the guidance, the Commission will launch a piloting phase starting in June 2019 to collect more detailed feedback from stakeholders on how the guidance can be implemented, with a focus in particular on the assessment list set out in Chapter III.  The Commission plans to evaluate the workability and feasibility of the guidance by the end of 2019, and the AI HLEG will review and update the guidance in early 2020 based on the evaluation of feedback received during the piloting phase.
Continue Reading EU High-Level Working Group Publishes Ethics Guidelines for Trustworthy AI

The European Commission (“Commission”) has published a Recommendation on cybersecurity in the energy sector (“Recommendation”).  The Recommendation builds on recent EU legislation in this area, including the NIS Directive and EU Cybersecurity Act (see our posts here and here).  It sets out guidance to achieve a higher level of cybersecurity taking into account specific characteristics of the energy sector, including the use of legacy technology and interdependent systems across borders.
Continue Reading EU Commission Issues Recommendation on Cybersecurity in the Energy Sector

On March 29, 2019, the ICO opened the beta phase of the “regulatory sandbox” scheme (the “Sandbox”), which is a new service designed to support organizations that are developing innovative and beneficial projects that use personal data.  The application process for participating in the Sandbox is now open, and applications must be submitted to the ICO by noon on Friday May 24, 2019. The ICO has published on its website a Guide to the Sandbox, which explains the scheme in detail.

The purpose of the Sandbox is to support organizations that are developing innovative products and services using personal data and develop a shared understanding of what compliance looks like in particular innovative areas.  Organizations participating in the Sandbox are likely to benefit from having the opportunity to liaise directly with the regulator on innovative projects with complex data protection issues.  The Sandbox will also be an opportunity for market leaders in innovative technologies to influence the ICO’s approach to certain use cases with challenging aspects of data protection compliance or where there is uncertainty about what compliance looks like.

The beta phase of the Sandbox is planned to run from July 2019 to September 2020.  Around 10 organizations from private, public and third sectors will be selected to participate.  In the beta phase, the ICO is focusing on data processing that falls within the remit of UK data protection law.  
Continue Reading ICO opens beta phase of privacy “regulatory sandbox”

Following a political agreement at the end of 2018, earlier this week the European Parliament approved a new cybersecurity regulation known as the EU “Cybersecurity Act” This forms part of the EU’s Cyber Package, first announced in September 2017 (which we blogged about here).

In addition to reinforcing the mandate of ENISA — now to be known as the EU Agency for Cybersecurity — the new regulation establishes an EU cybersecurity certification framework. This framework is intended to increase the transparency of the cybersecurity assurance of ICT products, services and processes, and thereby improve trust and help end users make informed choices.  Another key reason for the framework is to avoid the multiplication of conflicting or overlapping national certifications and thus reduce costs.

Under the regulation, the Commission is empowered to adopt European cybersecurity certification schemes, prepared by ENISA, concerning specific groups of ICT products, services and processes.  The schemes could cover, for example, ICT products, services and processes that are used in cars, airplanes, power plants, medical devices, as well as Internet-connected consumer devices.

Among many other details, each certification scheme will set out the subject matter and scope of the scheme, including the type or categories of ICT products, services and processes covered; a clear description of the purpose of the scheme; references to the international, European or national standards applied in the evaluation or other technical specifications; information on assurance levels (explained in more detail below); and an indication of whether conformity self-assessment is permitted under the scheme (also explained in more detail below).
Continue Reading European Parliament Approves EU Cybersecurity Act

On March 11, 2019, a bipartisan group of lawmakers including Sen. Mark Warner and Sen. Cory Gardner introduced the Internet of Things (IoT) Cybersecurity Improvement Act of 2019. The Act seeks “[t]o leverage Federal Government procurement power to encourage increased cybersecurity for Internet of Things devices.” In other words, this bill aims to shore up cybersecurity requirements for IoT devices purchased and used by the federal government, with the aim of affecting cybersecurity on IoT devices more broadly.
Continue Reading Senate Reintroduces IoT Cybersecurity Improvement Act

On February 27, 2019, Covington hosted its first webinar in a series on connected and automated vehicles (“CAVs”).  During the webinar, which is available here, Covington’s regulatory and public policy experts covered the current state of play in U.S. law and regulations relating to CAVs.  In particular, Covington’s experts focused on relevant developments in: (1) federal public policy; (2) federal regulatory agencies; (3) state public policy; (4) autonomous aviation; and (5) national security.

Highlights from each of these areas are presented below.Continue Reading Covington Hosts First Webinar on Connected and Automated Vehicles

One week from today, Covington will host its first webinar in a series on connected and automated vehicles (“CAVs”). The webinar will take place on February 27 from 12 to 1 p.m. Eastern Time. During the webinar, Covington’s regulatory and legislative experts will cover developments in U.S. law and regulations
Continue Reading Covington to Host Webinar on Connected and Automated Vehicles

The Federal Energy Regulatory Commission (“FERC”) released a final rule approving three new Critical Infrastructure Protection (“CIP”) standards which address supply chain risk management for bulk electric systems (“BES”) operations.  The new standards were developed by the North American Electric Reliability Corporation (“NERC”) in response to FERC Order No. 829, which directed NERC to create new CIP standards to address risks associated with the supply chain for grid-related cyber systems.  The final rule will take effect sixty days after it is published in the Federal Register.  The new standards must be implemented in eighteen months.  More details regarding the new CIP standards, which may be of interest to entities that develop, implement, or maintain hardware or software for industrial control systems associated with bulk electric systems (“BES”), are provided below.
Continue Reading FERC Approves New Cybersecurity Standards for Supply Chain Risk Management