FTC’s Settlement in Vizio May Provide Hint at Direction of Internet of Things Regulation

Internet of ThingsThe Federal Trade Commission’s (FTC’s) Settlement in FTC v. Vizio, Inc.may signal the direction that agency is heading on Internet of Things (IoT) enforcement. With veteran FTC enforcer Jessica Rich leaving and new appointee Maureen Ohlhausen taking over, Ohlhausen’s separate concurring statement in that matter is insightful.

The settlement took a broad view on the types of data that require protection. While the “Covered Information” included information like personal identifiers, IP address, and geolocation, it also included “Viewing Data,” which is essentially data about the content viewed on a television. Ohlhausen criticized this expansion and the FTC’s foray into this public policy basis for alleging an unfair practice. She notes, “But here, for the first time, the FTC has alleged in a complaint that individualized television viewing activity falls within the definition of sensitive information.” Hinting that this broad view of personal data may not continue, Ohlhausen writes, “There may be good policy reasons to consider such information sensitive…. But, under our statute, we cannot find a practice unfair based primarily on public policy. Instead, we must determine whether the practice causes substantial injury that is not reasonably avoidable by the consumer and is not outweighed by benefits to competition or consumers.” She then promises that “[i]n the coming weeks I will launch an effort to examine this important issue further.”

© MICHAEL BEST & FRIEDRICH LLP

House Energy and Commerce Committee Holds Hearing on Security of Internet of Things

What the experts are saying.

The hearing was motivated by the revelation that cybersecurity is no longer just about protecting  laptops or securing digital data. IoT insecurity puts human safety at risk, as everything from home appliances to automobiles and medical technology are becoming connected to the Internet. Representatives from both committees pressed expert witnesses Mr. Dale Drew of Level 3 Communications, Dr. Kevin Fu of Virta Labs and the University of Michigan, and Mr. Bruce Schneier of the Harvard Kennedy School of Government for examples of legislation that could target the cybersecurity concerns related to the Internet of Things.

These experts shared conflicting opinions about whether it is in fact possible for the government to establish one set of security standards that covers all Internet-connected devices, as these devices do many different things and are powered by many different types of technology. Mr. Schneier reminded the subcommittees that “[your smartphone] is not a phone; it’s a computer that makes phone calls.” The same applies to a long list of devices including WiFi-connected baby monitors, thermostats, refrigerators, DVR players, GPS systems, children’s toys, and of course, electronic voting booths. In his testimony, Mr. Drew explained that “bad actors are increasingly attracted to IoT devices since they can use those devices without being detected for long periods of time, they know most devices will not be monitored or updated, and they know there are no endpoint protection capabilities on IoT devices to remove threats.” Nevertheless, they agreed that a collaborative and, above all, proactive approach by both the government and manufacturers of these devices will be essential.

Fortunately, we already have a potential starting point. The National Institute of Standards and Technology recently issued a comprehensive set of guidelines and best practices for securing IoT devices and systems throughout their entire life cycle. But simply establishing these best practices on paper will not be enough. Dr. Fu reiterated the most important takeaway from the hearing: that proper security measures for IoT devices must be “built in, not bolted on.” Protective measures like encryption must be incorporated into the fundamental design of a device, not tacked on as an afterthought. They also must secure a device from its creation, through its life with a consumer, and after “retirement” since old but active devices are still vulnerable to hijacking by botnets like the one used in last month’s massive distributed denial of service (“DDoS”) attack on global Internet routing company Dyn.

Looking ahead to the future.

Currently, there are few market incentives to spend time and money producing more secure encrypted devices.  There are likewise no significant legal or economic penalties for selling devices to consumers that are insecure. In short, consumers are focused on buying sleek and affordable new products rather than on the networks that connect them. However, if massive DDoS attacks continue the same way that data breaches have in recent years, the priorities of consumers and manufacturers alike are bound to evolve.

Will a greater focus on security slow down the rate of technological innovation? Despite some concerns, Dr. Fu and Mr Schneier reassured the subcommittees that efforts to improve cybersecurity will spur innovation in the tech industry, not hold it back. As consumers and manufacturers become more aware of the implications of poorly secured devices, incorporating features like end-to-end encryption will be understood not as necessary obstacles, but as valuable solutions to very real and costly problems.

ARTICLE BY Cynthia J. Larose, Michael B. Katz & Joanne Dynak of Mintz Levin
©1994-2016 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.

Insurance Coverage Issues for Cyber-Physical Risks

internet of thingsThe recent National Institute of Standards and Technology (NIST)publication of cybersecurity guidance for the Internet of Things (IoT) is a useful reminder that hacking incidents can result not only in privacy breaches, but also in bodily injury or property damage — via critical infrastructure, medical devices and hospital equipment, networked home appliances, or even children’s toys. In addition to enhanced system security engineering and preventive education efforts, insurance is an increasingly essential component in any enterprise risk management approach to cyber vulnerabilities. But purchasers of cyber insurance are finding that nearly all of the available cyber insurance products expressly exclude coverage for physical bodily injury and property damage.

These exclusions are no doubt assumed to “dovetail” with (i.e., to avoid duplicating) the bodily injury and property damage coverage traditionally afforded by general liability and first-party property insurance policies. But it is not always clear whether those more conventional policies cover bodily injury or property damage arising from a cyber-related peril (so-called “cyber-physical” risks). Unless an insurance program specifically addresses these risks, the determination of coverage for physical harm from a cyber-attack may depend on a close reading of policy language and a fact-intensive analysis of how the harm arose.

Policyholders would be well advised to understand the potential cyber-physical risks they face; to analyze all their current lines of coverage to determine whether and how each would respond to those risks; to seek clarifications in their current insurance wordings; to explore new “difference in conditions” insurance products designed to plug any gaps in coverage for such risks; and, ultimately, to expect disputes with their insurers if these novel cyber-physical harms should materialize.

© 2016 Covington & Burling LLP

Senate Panel Passes “Internet of Things” Bill

Internet of Things.jpgOn Wednesday April 27th, the Senate Commerce Committee passed a bill meant to increase government involvement in the development of the “Internet of Things” (IoT).

By a voice vote, the committee approved the Developing Innovation and Growing the Internet of Things (DIGIT) Act, sponsored by Sen. Deb Fischer (R-Neb.), Sen. Kelly Ayotte (R-N.H.), Sen. Cory Booker (D-N.J.), and Sen. Brian Schatz (D-Hawaii).  The bill would require the establishment of a working group tasked with identifying proposals meant to facilitate IoT growth.  The working group would include representatives from the Transportation Department, the Commerce Department, the Federal Trade Commission, the Federal Communications Commission, Office of Science and Technology Policy, and the National Science Foundation. Separately, the Commerce Department recently issued a Request For Public Comment seeking comment on the role of government in fostering the advancement of IoT.

The bill also sets up a steering committee that will include industry stakeholders.  Both the working group and the steering committee will examine a range of IoT issues, including the regulatory challenges that may limit the growth of IoT and the availability of wireless spectrum for IoT devices.  The committee also approved several minor amendments to the bill, which, among other things, expanded the government agencies involved in the working group.

Article By Ani Gevorkian of Covington & Burling LLP
© 2016 Covington & Burling LLP

Top Manufacturing Trends to Watch for in 2016

Cybersecurity

Manufacturers continued to face challenges and find opportunities related to cybersecurity in 2015, and those trends can only be expected to intensify in 2016. New laws and new threats (discussed in more detail here and here) have either incentivized or required manufacturers to evaluate their cybersecurity strengths and weaknesses, then capitalize on the former and work to eliminate the latter. In light of the rapid evolution of cybersecurity technology and threats, manufacturers can expect to devote, or continue to devote, significant resources to cybersecurity issues in 2016.

Disruptive Technology/Internet of Things

Smart products, big data, and analytics are not just for tech companies anymore. Many manufacturers are now constantly looking for ways to leverage these tools to improve their process, their products, and their customers’ satisfaction, and those who aren’t may be falling behind. In an increasingly connected world, manufacturers need to keep pace and ensure that their products not only stay relevant, but push the envelope whenever possible. Potential regulation of the open Internet (discussed here) only complicates matters, and gives manufacturers more reason to carefully watch this trend in 2016.

Regulatory Developments in China

In 2015, manufacturers saw dramatic changes in China’s regulatory landscape (discussed in more detail here, here, and here), including new restrictions on hazardous substances for electronics manufacturers, data-flow and content restrictions, and currency devaluations that significantly complicated the international trade landscape. Additional changes are surely coming in 2016, with new implementing measures for defective auto product recalls and a more aggressive climate policy being only some of the changes to watch. Manufacturers currently operating or selling products in China or looking to expand there in 2016 should pay close attention to these and other developments.

© 2016 Foley & Lardner LLP

FAST Act Calls for Examination of Internet of Things

The Internet of Things (IoT), as defined by Wikipedia, is the network of physical objects or “things” embedded with electronics, software, sensors, and network connectivity, which enables these objects to collect and exchange data. The IoT allows objects to be sensed and controlled remotely across existing network infrastructure, creating opportunities for more direct integration between the physical world and computer-based systems, and resulting in improved efficiency, accuracy and economic benefit.  Each thing is uniquely identifiable through its embedded computing system but is able to interoperate within the existing Internet infrastructure.

In short, if we look at the objects we use in everyday life – from our phones, to our laptops, to even our copy machines or printers at work – each is able to collect and potentially exchange vast amounts of data.  While the capabilities of these devices and objects to collect data and exchange data will likely improve our daily lives, it is also important to examine how to protect the privacy and security of the information and data which is collected and shared.

The Fixing America’s Surface Transportation Act (FAST Act) includes a number of provisions related to privacy, including an amendment to the Gramm-Leach-Bliley Act (GLBA) as well as the enactment of the Driver Privacy Act of 2015.  Interestingly, the FAST Act also requires a report on the potential of the IoT to improve transportation services in rural, suburban, and urban areas.

Specifically, Section 3024 of Title III, requires the Secretary of Transportation to submit a report to Congress not later than 180 days after December 4, 2015 (the enactment date of the FAST Act).  The report, presumably to address the issues discussed above, is to include (1) a survey of the communities, cities, and States that are using innovative transportation systems to meet the needs of ageing populations; (2) best practices to protect privacy and security, as determined as a result of such survey; and (3) recommendations with respect to the potential of the IoT to assist local, State, and Federal planners to develop more efficient and accurate projections of the transportation.

While it is unclear exactly what information will be captured in the report, it’s clear the drafters of Section 3024 have recognized the importance of data privacy and security while utilizing the IoT to improve transportation.  On a more personal note, I have to believe I am not alone in hoping that the report will finally address (and correct!) the traffic patters related to my daily commute!

Jackson Lewis P.C. © 2015

Three Trending Topics in IoT: Privacy, Security, and Fog Computing

Cisco has estimated that there will be 50 billion Internet of Things (IoT) devices connected to the Internet by the year 2020. IoT has been a buzzword over the past couple of years. However, the buzz surrounding IoT in the year 2015 has IoT enthusiasts particularly exerted. This year, IoT has taken center stage at many conferences around the world, including the Consumer Electronics Show (CES 2015), SEMI CON 2015, and Createc Japan, among others.

1. IoT will Redefine the Expectations of Privacy

Privacy is of utmost concern to consumers and enterprises alike. For consumers, the deployment of IoT devices in their homes and other places where they typically expect privacy will lead to significant privacy concerns. IoT devices in homes are capable of identifying people’s habits that are otherwise unknown to others. For instance, a washing machine can track how frequently someone does laundry, and what laundry settings they prefer. A shower head can track how often someone showers and what temperature settings they prefer. When consumers purchase these devices, they may not be aware that these IoT devices collect and/or monetize this data.

The world’s biggest Web companies, namely, Google, Facebook, LinkedIn, and Yahoo are currently involved in lawsuits where the issues in the lawsuits relate to consent and whether the Web companies have provided an explicit enough picture of what data is being collected and how the data is being used. To share some perspective on the severity of the legal issues relating to online data collection, more than 250 suits have been filed in the U.S. in the past couple of years against companies’ tracking of online activities, compared to just 10 in the year 2010. As IoT devices become more prevalent, legal issues relating to consent and disclosure of how the data is being collected, used, shared or otherwise monetized will certainly arise.

2. Data and Device Security is Paramount to the Viability of an IoT Solution

At the enterprise level, data security is paramount. IoT devices can be sources of network security breaches and as such, ensuring that IoT devices remain secure is key. When developing and deploying IoT solutions at the enterprise level, enterprises should conduct due diligence to prevent security breaches via the IoT deployment, but also ensure that even if an IoT device is compromised, access to more sensitive data within the network remains secure. Corporations retain confidential data about their customers and are responsible for having adequate safeguards in place to protect the data. Corporations may be liable for deploying IoT solutions that are easily compromised. As we have seen with the countless data breaches over the past couple of years, companies have a lot to lose, financially and otherwise.

3. Immediacy of Access to Data and Fog Computing

For many IoT solutions, timing is everything. Many IoT devices and environments are “latency sensitive,” such that actions need to be taken on the data being collected almost instantaneously. Relying on the “cloud” to process the collected data and generate actions will likely not be a solution for such IoT environments, in which the immediacy of access to data is important. “Fog computing” aims to bring the storage, processing and data intelligence closer to the IoT devices deployed in the physical world to reduce the latency that typically exists with traditional cloud-based solutions. Companies developing large scale IoT solutions should investigate architectures where most of the processing is done at the end of the network and closer to the physical IoT devices.

The Internet of Things has brought about new challenges and opportunities for technology companies. Privacy, security and immediacy of access to data are three important trends companies must consider going forward.

© 2015 Foley & Lardner LLP