On February 4, 2022, the National Institute of Standards and Technology (“NIST”) published its Recommended Criteria for Cybersecurity Labeling for Consumer Internet of Things (IoT) Products (“IoT Criteria”).  The IoT Criteria make recommendations for cybersecurity labeling for consumer IoT products, in other words, for IoT products intended for personal, family, or household use.

The purpose of the publication, as described by NIST, is to identify “key elements of a potential labeling scheme.”  The publication makes clear, however, that the scheme would not be established or managed by NIST, but rather “by another organization or program,” referred to in the publication as the “scheme owner.”  The identity of the scheme owner is undetermined, but it “could be a public or private sector” entity.

The publication of the IoT Criteria represents another step toward a national cybersecurity labeling scheme for consumer IoT products.  We should expect that the framework established by NIST in this publication will serve as a model for these requirements.
Continue Reading NIST Publishes Recommended Criteria for Cybersecurity Labeling for Consumer Internet of Things (IoT) Products

As 2021 comes to a close, we will be sharing the key legislative and regulatory updates for artificial intelligence (“AI”), the Internet of Things (“IoT”), connected and automated vehicles (“CAVs”), and privacy this month.  Lawmakers introduced a range of proposals to regulate AI, IoT, CAVs, and privacy as well as appropriate funds to study developments in these emerging spaces.  In addition, from developing a consumer labeling program for IoT devices to requiring the manufacturers and operators of CAVs to report crashes, federal agencies have promulgated new rules and issued guidance to promote consumer awareness and safety.  We are providing this year-end round up in four parts.  In this post, we detail IoT updates in Congress, the states, and federal agencies.

Part IV: Internet of Things

This quarter’s IoT-related Congressional and regulatory updates ranged from promoting consumer awareness to bolstering the security of connected devices.  In particular, the Federal Communications Commission (“FCC”) has taken a number of actions to promote the growth of IoT while the National Institute of Standards and Technology (“NIST”) continues to work to fulfill its obligations under President Biden’s May Executive Order on Improving the Nation’s Cybersecurity (“EO”).  The IoT Cybersecurity Improvement Act of 2020 (H.R.1668) additionally tasked NIST with developing security standards and guidelines for the federal government’s IoT devices.  This year NIST put out a number of reports to carry out this mandate, including guidance documents to assist federal agencies with evaluating the security capabilities required in their IoT devices (NIST SP 800-213).
Continue Reading U.S. AI and IoT Legislative Update – Year-End 2021

On Friday, December 4, 2020, President Trump signed the bipartisan Internet of Things (“IoT”) Cybersecurity Improvement Act of 2020 into law.  The IoT Cybersecurity Improvement Act empowers the National Institute of Standards and Technology (“NIST”) to create cybersecurity standards for internet-connected devices purchased and used by federal agencies.  For more information on the law, please

The bipartisan Internet of Things (“IoT”) Cybersecurity Improvement Act of 2020 (S. 734, H.R. 1668) has passed the House and the Senate and is headed to the President’s desk for signature.  The bill was sponsored in the House by Representatives Hurd (R-TX) and Kelly (D-IL), and in the Senate by Senators Warner (D-VA) and Gardner (R-CO).  President Trump is expected to sign the measure into law.

According to Senator Warner (D-VA), the bill would “harness the purchasing power of the federal government and incentivize companies to finally secure the [internet-connected] devices they create and sell.”

The IoT Cybersecurity Improvement Act will require the National Institute of Standards and Technology (“NIST”) to develop minimum cybersecurity standards for internet-connected devices purchased or used by the federal government.  The bill sets forth the following requirements:
Continue Reading IoT Update: Congress Passes IoT Cybersecurity Improvement Act of 2020

The Department of Commerce’s National Institute of Standards and Technology (“NIST”) has released Version 1.0 of its Privacy Framework.  This voluntary framework aims to provide organizations with strategies to improve their privacy practices, build customer trust, and fulfill compliance obligations.  It is designed to be flexible and non-prescriptive, allowing public and private organizations of all sizes to adapt the framework to their own goals and priorities.

NIST announced its intention to develop this tool in September 2018, and spent the following year collaborating with stakeholders – including corporations, governments, academics, industry groups, and non-profits – to create a draft.  It released a preliminary draft of the framework in September 2019, soliciting comments that were used to create Version 1.0.

The Privacy Framework comes at a time of significant change for organizations endeavoring to manage their privacy risk.  Federal, state, and local governments around the world are issuing first-of-their-kind privacy laws, with more on the horizon, as we have written about here, here, here, here, and here.  This patchwork of untested laws increases the challenge of privacy compliance in the U.S. and abroad.   
Continue Reading NIST Releases Version 1.0 of its Privacy Framework

Earlier this month the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) released its Draft NISTIR 8267, Security Review of Consumer Home Internet of Things (IoT) Products, for public comment. NIST will accept public comments on the report through November 1, 2019.
Continue Reading IoT Update: NIST Seeks Public Comment on Security Review of Smart Home IoT Devices

Pursuant to Executive Order 13636, the National Institute of Standards and Technology (“NIST”) established the Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0, a technology-neutral, voluntary, risk-based cybersecurity framework that includes standards and processes intended to align policy, business, and technological approaches to addressing cybersecurity risks.  Four years later, NIST has released an updated version of the Framework.

Prior to releasing this update, NIST issued a request for information to get a better understanding of how companies were using the Framework, released a draft of the revised Framework for public comment, and held a public webcast to discuss the updates to the Framework.  The key updates in Version 1.1 are summarized below.
Continue Reading NIST Releases Updated Cybersecurity Framework

[The referenced article was originally published in Law360.]

Since August 2015, defense contractors have been on notice that they were required to implement the security controls in National Institute of Standards and Technology (“NIST”) Special Publication (“SP”) 800-171 no later than December 31, 2017 on covered contractor information systems. Although the focus has been

In the immediate aftermath of discovering a cybersecurity incident, companies often face many questions and few answers amidst a frenzy of activity.  What happened?  What should we do now?  What legal risks does the company face, and how should it protect against them?  In this fast-paced environment, it can be difficult to coordinate the activity across an incident response.  Well-intentioned actions by incident responders can easily expose the company to liability, regulator scrutiny, or a waiver of applicable legal privileges.

Instead of waiting to make critical incident response decisions in the “fog of war” that often occurs during the fast-paced events following the detection of a cybersecurity incident, organizations should think about how to respond before a cybersecurity incident actually occurs.  Responding to a cyberattack can involve a wide variety of different stakeholders such as IT and information security personnel, forensic analysts and investigators, legal counsel, communications advisors, and others.  Advance planning, including the development and execution of an incident response plan, allows a company to coordinate activities across a diverse array of different incident response work streams, and test that coordination.  Below, this post describes some key steps companies can take to respond to a cybersecurity incident in a swift, efficient, and effective manner.
Continue Reading Preparation and Practice: Keys to Responding to a Cyber Security Incident

On August 28, 2017, the U.S. Government Accountability Office (“GAO”) publicly released a report regarding consumer privacy issues associated with the rapidly increasing number of cars that are “connected”—i.e., capable of wirelessly monitoring, collecting, and transmitting information about their internal and external environments.  The report examines four key issues: (1) the types of data collected by connected cars and transmitted to selected automakers, and how such automakers use and share such data; (2) the extent to which selected automakers’ privacy policies are in line with established privacy best practices; (3) selected experts’ views on privacy issues related to connected cars; and (4) federal roles and efforts related to consumer privacy and connected cars.

Process

The GAO turned to a variety of resources to explore the four identified issues.  For starters, the GAO conducted a series of interviews with relevant industry associations, organizations that work with consumer privacy issues, and a sample of sixteen automakers (thirteen of which offered connected vehicles) based on their vehicle sales in the U.S.  In addition, the GAO analyzed selected automakers’ privacy policies and compared them to privacy frameworks developed by the Organization for Economic Cooperation and Development (“OECD”) as well as the Federal Trade Commission (“FTC”), the National Highway Traffic Safety Administration (“NHTSA”), and the National Institute of Standards and Technology (“NIST”).  Finally, the GAO consulted relevant sources (e.g., federal statutes, regulations, and reports) and interviewed agency officials, including those from the Department of Transportation (“DOT”), the FTC, and the Department of Commerce.
Continue Reading GAO Releases New Vehicle Data Privacy Report