New Internet of Things Security Legislation Introduced in U.S. Senate

August 3, 2017 by George A. Gasper, Partner | Clayton Heil, Partner
New Internet of Things Security Legislation Introduced in U.S. Senate

Four United States Senators introduced bipartisan legislation this week that would improve the cybersecurity of Internet-connected devices purchased by the federal government. The Internet of Things Cybersecurity Improvement Act of 2017 (which was drafted with input from several security and technology companies) would require companies selling IoT devices to the government to implement specific security standards, including ensuring their devices: (i) do not have any known security vulnerabilities, (ii) do not use hard-coded passwords that cannot be changed, (iii) rely on industry standard protocols, and (iv) are patchable if security is compromised. (IoT devices with limited data processing and software functionality would be subject to alternative requirements to be developed by the Office of Management and Budget.)  The proposed legislation would also require (among other things) the Department of Homeland Security to issue additional guidelines regarding vulnerability disclosure policies applicable to companies selling IoT devices to the federal government.

The legislation could certainly create both additional opportunities and additional responsibilities for companies selling IoT devices to the government (even if some of those opportunities may be delayed as the government determines which devices are acceptable under the new standards).  But this legislation should also be of interest to any company that buys or sells IoT devices. 

Although Congress has not specifically regulated cybersecurity requirements for IoT, the FTC, FDA, and other regulators are active. For example, the FTC has pursued claims against TRENDnet and D-Link (2013 and 2017 respectively) for cybersecurity issues and/or information sharing problems with baby monitors. Now, this new legislation would impose specific requirements on companies selling IoT devices to the federal government. This legislation, however, may also have a trickle-down effect and improve the security of Internet-connected devices sold to American businesses and consumers as well. Many of the same IoT devices sold to the government are also sold to businesses or individual consumers, so any improvement to the security of those products would theoretically apply to all customers. There is the possibility, moreover, market forces would begin to expect all companies to adopt some or all of these security measures, regardless of the intended customer or end-user.

Ice Miller will be monitoring this proposed legislation and analyzing its potential impact on companies that sell (and purchase) IoT devices. Additional developments will be published here on Ice Miller’s blog.

Please contact George Gasper or Clay Heil, members of Ice Miller’s Internet of Things Industry Group, if you would like to discuss these issues further. 

This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances.


View Full Site View Mobile Optimized