Internet of Things (IoT)

By Grace Kim and Siobhan Kahmann

Following an informal consultation earlier this year – as covered by our previous IoT Update here – the UK’s Department for Digital, Culture, Media and Sport (“DCMS”) published the final version of its Code of Practice for Consumer IoT Security (“Code”) on October 14, 2018. This was developed by the DCMS in conjunction with the National Cyber Security Centre, and follows engagement with industry, consumer associations, and academia. The aim of the Code is to provide guidelines on how to achieve a “secure by design” approach, to all organizations involved in developing, manufacturing, and retailing consumer Internet of Things (“IoT”) products. Each of the thirteen guidelines are marked as primarily applying to one or more of device manufacturers, IoT service providers, mobile application developers and/or retailers categories.

The Code brings together what is widely considered good practice in IoT security. At the moment, participation in the Code is voluntary, but it has the aim of initiating and facilitating security change through the entire supply chain and compliance with applicable data protection laws. The Code is supported by a supplementary mapping document, and an open data JSON file which refers to the other main industry standards, recommendations and guidance.  Ultimately, the Government’s ambition is for appropriate aspects of the Code to become legally enforceable and has commenced a mapping exercise to identify the impact of regulatory intervention and necessary changes.
Continue Reading IoT Update: The UK publishes a final version of its Code of Practice for Consumer IoT Security

On September 26, 2018, New Jersey federal district judge Madeline Cox Arleo dismissed an eight-count class action complaint in its entirety against three smart TV makers: Samsung, LG, and Sony.  The plaintiffs alleged that defendants’ smart TVs continuously monitored and tracked their viewing habits, recorded their voices, and then transmitted
Continue Reading New Jersey District Judge Dismisses All Counts Against Smart TVs

CTIA, the U.S. wireless industry’s trade association, recently announced the creation of a cybersecurity certification program for Internet of Things (IoT) devices that connect to the internet via LTE or Wi-Fi.  The program permits device makers to submit such IoT devices for testing by CTIA-authorized labs in order to obtain a certification of compliance with respect to cybersecurity.
Continue Reading U.S. Wireless Industry Establishes IoT Security Certification Program

Pursuant to Executive Order 13636, the National Institute of Standards and Technology (“NIST”) established the Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0, a technology-neutral, voluntary, risk-based cybersecurity framework that includes standards and processes intended to align policy, business, and technological approaches to addressing cybersecurity risks.  Four years later, NIST has released an updated version of the Framework.

Prior to releasing this update, NIST issued a request for information to get a better understanding of how companies were using the Framework, released a draft of the revised Framework for public comment, and held a public webcast to discuss the updates to the Framework.  The key updates in Version 1.1 are summarized below.
Continue Reading NIST Releases Updated Cybersecurity Framework

Two hundred billion IoT devices could be in use by 2020, according to one estimate cited in the World Economic Forum’s recent report, Mitigating Risk in the Innovation Economy.  This rapid integration of the digital world and the physical world presents unprecedented opportunities for businesses in a wide array
Continue Reading Covington Internet of Things Update: Promise and Peril — IoT and Your Insurance

On January 12, the International Consumer Electronics Show (CES) in Las Vegas closed its doors for another year.  Each CES raises a new set of technology themes, ranging from robots to smart fridges — and this year, the winner was voice technologies.  Such technologies, while not entirely new, are now
Continue Reading Voice Technologies, Meet the EU E-Privacy Regulation

By Susan Cassidy, Jenny Martin, and Catlin Meade

The National Institute of Standards and Technology (“NIST”) released on August 15, 2017 its proposed update to Special Publication (“SP”) 800-53.  NIST SP 800-53, which was last revised in 2014, provides information security standards and guidelines, including baseline control requirements, for implementation on federal information systems under the Federal Information Systems Management Act of 2002 (“FISMA”).  The revised version will still apply only to federal systems when finalized, but one of the stated objectives of the revised version is to make the cybersecurity and privacy standards and guidelines accessible to non-federal and private sector organizations for voluntary use on their systems.

In its announcement of the draft revision, NIST explains that the update “responds to the need by embarking on a proactive and systemic approach to develop and make available to a broad base of public and private sector organizations, a comprehensive set of safeguarding measures for all types of computing platforms, including general purpose computing systems, cyber-physical systems, cloud and mobile systems, industrial/process control systems, and Internet of Things (IoT) devices.”  In particular, a key purpose of the update process was to assess the relevance and appropriateness of the current security controls and control enhancements designated for each baseline (low, moderate, and high) to ensure that protections are commensurate with the harm that would result from a compromise of applicable government data and systems.  In addition, the revised guidelines recognize the need to secure a much broader universe of “systems,” including industrial control systems, IoT devices, and other cyber physical systems, than the “information systems” that were the focus of the prior iterations of SP 800-53.  Relatedly, the revised publication also identifies those controls that are both security and privacy controls, as well as those controls that are the primary responsibility of privacy programs.
Continue Reading NIST Releases Fifth Revision of Special Publication 800-53

On August 1, 2017, a bipartisan group of Senators introduced legislation (fact sheet) that would establish minimum cybersecurity standards for Internet of Things (“IoT”) devices sold to the U.S. Government.  As Internet-connected devices become increasingly ubiquitous and susceptible to evolving and complex cyber threats, the proposed bill attempts
Continue Reading A Summary of the Recently Introduced “Internet of Things (IoT) Cybersecurity Improvement Act of 2017”

A bill pending in the California legislature, if passed, would create new obligations for manufacturers of “connected devices.” S.B. 327 (also known as the “Teddy Bear and Toaster Act”) would operate somewhat differently than existing laws, such as the California Online Privacy Protection Act (“CalOPPA”).

Security obligations. Manufacturers of
Continue Reading California Bill Poised to Change Regime Governing the Internet of Things

On December 1, 2016, the Commission on Enhancing National Cybersecurity released its Report on Securing and Growing the Digital Economy. In its Report, the Commission, established in February 2016 by President Obama, provided detailed short- and long-term recommendations to strengthen cybersecurity in the public and private sectors. The Commission took a multi-stakeholder approach, emphasizing the need for broad public-private cooperation, defined consumer rights and responsibilities, and international streamlining efforts. The Report focused on eight cybersecurity topics identified in the Commission’s charging Executive Order: federal governance, critical infrastructure, cybersecurity research and development, cybersecurity workforce, identity management and authentication, Internet of Things, public awareness and education, state and local government cybersecurity, and additionally insurance and international issues.

After studying these eight critical areas, the Commission articulated ten foundational principles that shaped its recommendations in the Report. These principles focused on the growth in size and density of Internet-connected systems, United States and federal government leadership in cybersecurity innovation, private-public collaboration, clear definitions of authority and accountability, consumer education, user-friendly cybersecurity products, privacy and trust development, the unique needs and constraints of small businesses, and designing incentives for innovation.

The Report then enumerated myriad imperatives, recommendations, and action items for the current and next Presidential administrations to develop robust cybersecurity in the nation.
Continue Reading The Commission on Enhancing National Cybersecurity Releases Its Report on Securing and Growing the Digital Economy