Internet of Things (IoT)

The recent National Institute of Standards and Technology (NIST) publication of cybersecurity guidance for the Internet of Things (IoT) is a useful reminder that hacking incidents can result not only in privacy breaches, but also in bodily injury or property damage — via critical infrastructure, medical devices and hospital equipment, networked home appliances, or even children’s toys. In addition to enhanced system security engineering and preventive education efforts, insurance is an increasingly essential component in any enterprise risk management approach to cyber vulnerabilities. But purchasers of cyber insurance are finding that nearly all of the available cyber insurance products expressly exclude coverage for physical bodily injury and property damage.
Continue Reading Insurance Coverage Issues for Cyber-Physical Risks

Following NIST’s release of cybersecurity guidance for the Internet of Things last week, the Broadband Internet Technical Advisory Group (BITAG) released a report today titled Internet of Things (IoT) Security and Privacy Recommendations (the Report).  BITAG is a non-profit organization that brings together engineers and technologists in a working group to develop consensus on technical issues that can affect users’ Internet experiences.  The Report includes contributions from academics, advocacy organizations, and members of the telecommunications and consumer technology industries, with recommendations designed to “dramatically improve the security and privacy of IoT devices and minimize the costs associated with the collateral damage that would otherwise affect both end users and ISPs.”

As used in the Report, IoT refers to “consumer-oriented devices and their associated local and remote software systems.”  The Report begins with background information about IoT, why IoT security and privacy is of particular interest, and the observation that many IoT devices do not abide by “rudimentary security and privacy best practices.”  According to the Report, IoT devices therefore pose unique security and privacy challenges because they tend to implicate “non-technical or uninterested consumers” and can widely impact Internet access and other services when the devices are compromised by malware.
Continue Reading Advisory Group Releases Report on Internet of Things

On November 15, 2016, the National Institute of Standards and Technology (NIST) released its final guidance providing engineering-based solutions to protect cyber-physical systems and systems-of-systems, including the Internet of Things (IoT), against a wide range of disruptions, threats, and other hazards.  NIST Special Publication 800-160 (the “Guidance”) is the result of four years of research and development and builds upon well-established international standards for systems and software engineering.
Continue Reading NIST Releases Cybersecurity Guidance for Internet of Things

By Kristof Van Quathem

Yesterday, the European Commission launched its “Digitising European Industry” package, a series of industry related initiatives aimed at “updating Europe’s digital infrastructure”, see press release here, Q&A here and homepage here.  The package includes reports and proposals addressing cloud computing, ICT standardization, eGovernment, Internet of Things (“IoT”), quantum technologies and high performance computing / big data.

Below we summarize the data protection aspects of the key communications published yesterday.
Continue Reading Digital Single Market – New Initiatives for Cloud Computing and Internet of Things

The FTC has cautioned that a recent settlement holds lessons for companies involved in the Internet of Things.  The settlement, announced on Tuesday, was reached with  hardware manufacturer ASUS over concerns that its router products carried certain security vulnerabilities.  Notably, in addition to alleging that ASUS’s actions violated promises to
Continue Reading FTC Settles Deception and Unfairness Charges Against ASUS Over Router Security

A European Parliament policy department has released a report, entitled Big Data and Smart Devices and Their Impact on Privacy, that criticizes the lack of focus on privacy and data protection in the European Commission’s “Digital Single Market” policy agenda, noting a “conflicting” intersection between the Commission’s Digital Single Market objectives and the EU’s efforts, now in their hopefully final stages, to reform the EU’s general legislation around the protection of personal information.
Continue Reading EU Parliament Policy Report Takes Dim View of EU Commission’s “Pro-Market” Policies on Big Data and Smart Devices

Last Friday, Fiat Chrysler announced the recall of 1.4 million vehicles to fix security vulnerabilities, further highlighting the importance of properly addressing cybersecurity issues created by the use of connected devices.  The recall follows an article published last Tuesday by Wired magazine which described methods used by security researchers to
Continue Reading Fiat-Chrysler Recalls 1.4 Million Vehicles In Response to Security Vulnerability

By Ani Gevorkian

The Subcommittee on Commerce, Manufacturing, and Trade of the House Energy and Commerce Committee held a hearing on Tuesday entitled, “The Internet of Things: Exploring the Next Technology Frontier.” The hearing focused on the promises Internet of Things (“IoT”) technology holds, and what role Congress should play in addresses the challenges IoT presents, both with regard to privacy and data security concerns as well as technological concerns.

Panelists included Daniel Castro, Vice President of the Information Technology and Innovation Foundation; Brian van Harlingen, Chief Technology Officer of Belkin International, Inc.;  Rose Schooler, Vice President of the IoT Group and GM of the IoT Strategy and Technology Office of Intel Corporation; and, Brad Morehead, CEO of LiveWatch Security, LLC.
Continue Reading House Holds Internet of Things Hearing

Next Tuesday, March 24 at 11 a.m., the House Energy and Commerce Committee’s Subcommittee on Commerce, Manufacturing, and Trade will host a hearing entitled “The Internet of Things: Exploring the Next Technology Frontier.”  The hearing will follow an Internet of Things (“IoT”) showcase featuring Internet-connected products manufactured in members’ districts.
Continue Reading House to Hold Hearing on Internet of Things

By Meena Harris and Caleb Skeath

  1. Data Breaches
  • Studies show increase.  Amidst a flurry of high-profile breaches during 2014, several studies confirmed that data breaches as a whole have risen significantly over the past few years.  The California Attorney General released a study showing a 28% increase in breaches in 2013 as compared to 2012.  Another study, which examined the volume of data breaches during the first quarter of 2014, found an increase of 233% compared to the same time period in 2013.
  • State laws.  In April, Kentucky became the 47th state to enact a data breach notification law.  Florida and Iowa each amended their data breach notification laws in 2014 to, among other changes, enhance regulator notification requirements.  California amended its data breach notice law to expand the types of information covered and to require certain companies to provide one year of free credit monitoring to affected individuals (although the statutory language on the latter point is subject to multiple interpretations).
  • Federal legislation.  Numerous data breach bills, including the Data Security Breach Notification Act of 2014 and the Personal Data Protection and Breach Accountability Act, were introduced in Congress, although none passed during 2014.  The Senate Judiciary Committee, the Senate Commerce Committee, and the House Energy and Commerce Subcommittee on Commerce, Manufacturing, and Trade, among others, held hearings during 2014 to discuss the need to address data breaches and the possibility of enacting federal legislation.
  • Federal enforcement.  In the enforcement arena, the Federal Trade Commission (“FTC”), the Department of Health and Human Services (“HHS”), and state attorneys general pursued enforcement action during 2014 against companies that had suffered data breaches.  The Securities and Exchange Commission also announced in April that it would conduct over 50 cybersecurity examinations of publicly traded companies.  The Federal Communications Commission (“FCC”), for its part, levied a $10 million fine in October against two telecommunications carriers for exposing customer data, which represented the FCC’s first enforcement action in the wake of a data breach.
  • Continued attention in 2015.  Legislative interest in data breach issues has only increased in early 2015.  Since President Obama proposed national data breach legislation, additional data breach notification bills have been introduced in the House and Senate.  The House Subcommittee on Commerce, Manufacturing, and Trade also held a hearing on crafting a national data breach bill, debating the harm that should trigger notification obligations and the appropriate window for providing notifications.

Continue Reading Top 10 U.S. Privacy Developments of 2014