The Cybersecurity Law Report

Incisive intelligence on cybersecurity law and regulation

Articles By Topic

By Topic: Internet of Things

  • From Vol. 3 No.4 (Feb. 22, 2017)

    Lessons for Connected Devices From the FTC’s Warning Against Unexpected Data Collection 

    In a recently announced $2.2 million settlement with television manufacturer VIZIO, the FTC and the state of New Jersey emphasized the importance of providing notice and consent particularly when connected-device users may not expect the types of data collection and sharing taking place. The action demonstrates the coordination of federal and state enforcement agencies, and the settlement terms serve to inform connected-device companies about the agencies' expectations. In terms of data collection and disclosure, “companies should consider what consumers expect of a device, particularly if it was an analog device that has not been smart in the past,” FTC attorney Megan Cox told The Cybersecurity Law Report. See “FTC Priorities for 2017 and Beyond” (Jan. 11, 2017); and “Privacy, Security Risks and Applicable Regulatory Regimes of Smart TVs” (Jan. 11, 2017).

    Read Full Article …
  • From Vol. 3 No.1 (Jan. 11, 2017)

    Privacy, Security Risks and Applicable Regulatory Regimes of Smart TVs

    Technology often outpaces regulation. Connected devices such as smart TVs are no exception. Like other devices in the growing Internet of Things, smart TVs provide a variety of conveniences and content options to their users, along with a range of serious data privacy and security risks, and regulators are struggling to keep pace with developments. In a recent WilmerHale program, attorneys D. Reed Freeman and Sol Eppel discussed the FTC’s December 2016 workshop, and detailed the regulatory and legal regimes that may affect smart TV manufacturers, providers and users. See also “New NIST and DHS IoT Guidance Signal Regulatory Growth” (Nov. 30, 2016).

    Read Full Article …
  • From Vol. 2 No.25 (Dec. 14, 2016)

    Presidential Commission Recommends Ways For Public and Private Sectors to Improve Cybersecurity 

    Cybersecurity has been a focus of the current administration. To look beyond the current term, however, a nonpartisan commission appointed by President Obama recently issued an extensive report recommending short- and medium-term actions for the Trump administration and the private sector to take over the next five years to improve cybersecurity, while protecting privacy, fostering innovation and ensuring economic and national security. See also “White House Lays Out Its Broad Cybersecurity Initiatives” (Feb. 17, 2016) and “Gibson Dunn Attorneys Discuss the Impact of Obama’s Executive Order Creating New Tools to Fight Cyber Attacks” (May 6, 2015).

    Read Full Article …
  • From Vol. 2 No.24 (Nov. 30, 2016)

    New NIST and DHS IoT Guidance Signal Regulatory Growth 

    The marketplace is flooding with connected devices and innovation is outpacing regulation and security measures. A recent widespread denial-of-service attack illustrated that connected devices present risks not only to the individual users but to interconnected networks on a massive scale. In an effort to address these risks, the Department of Homeland Security recently issued written security guidance for developers, manufacturers, service providers and users. Adding to the growth of risk-based guidance in this area, the National Institute of Standards and Technology has also recently published detailed engineering standards. To best implement the advice from these various sources, Covington partner Jennifer Martin told The Cybersecurity Law Report that companies that make, use or provide services for connected devices should (1) understand the basic building blocks and principles of a good security program; (2) identify specific regulatory expectations for their particular industry; and (3) identify what role they play in the supply chain or device life cycle. See also “Managing Risk for the Internet of Things in the Current Regulatory Landscape” (May 11, 2016).

    Read Full Article …
  • From Vol. 2 No.22 (Nov. 2, 2016)

    How to Protect Against Weaponized Devices in Light of the Massive Denial-of-Service Attack

    Tweets, shopping, money transfers and entertainment were some of the countless internet activities stopped in their tracks by a recent massive attack on a domain name service provider. The hackers utilized ordinary household connected devices to carry out one of the largest denial-of-service attacks to date, shutting down more than a thousand sites such as Amazon, Twitter, Netflix and PayPal. While such attacks are not new and are typically quickly mitigated, this one was critically different in terms of its scale and its reliance on compromised connected devices, and presented “another type of attack that even state-of-the-art organizations in terms of data security have to contend with,” Ed McAndrew, a partner at Ballard Spahr, told The Cybersecurity Law Report. See “Tackling Privacy and Cybersecurity Challenges While Fostering Innovation in the Internet of Things” (May 20, 2015).

    Read Full Article …
  • From Vol. 2 No.20 (Oct. 5, 2016)

    Examining Newly Released Privacy and Security Guidance for the Fast-Driving Development of Autonomous Cars

    Auto manufacturers and technology companies are moving closer to making driverless cars a reality, much to the excitement and fear of consumers. While autonomous cars have the potential to provide enormous safety and environmental benefits, this unchartered territory also presents an array of unknowns for companies and consumers.  As a first step to address the risks of this new technology, and signal possible regulations, the government has released voluntary guidance for manufacturers that addresses safety, privacy and security. “The 15-point Safety Assessment may be a safe harbor that provides a benchmark for car manufacturers to meet,” Alma Murray, senior counsel for privacy at Hyundai Motor America, explained to The Cybersecurity Law Report. “This standard-setting is also good for the consumer/driver in that it sets a standard of care that must be met by manufacturers which, if not met, can subject the manufacturers to lawsuits.”  See also “Managing Risk for the Internet of Things in the Current Regulatory Landscape” (May 11, 2016); and “Tackling Privacy and Cybersecurity Challenges While Fostering Innovation in the Internet of Things” (May 20, 2015).

    Read Full Article …
  • From Vol. 2 No.12 (Jun. 8, 2016)

    Securing the Connected Car: Privacy, Security and Self-Regulation

    Much like smartphones, today’s automobiles have become vast data endpoints, equipped with advanced electronics, sensors and computing power. In cars, though, these advancements not only facilitate communications but also enhance safety and the driving experience. As panelists at the recent IAPP Privacy Summit pointed out, a breach can implicate physical safety as well as data privacy. The panelists, including in-house experts at AT&T and General Motors, discussed the threat landscape for connected cars, the current regulatory framework governing cybersecurity of connected cars and how the automobile industry is developing best practices and automobile design to meet consumer expectations while minimizing cybersecurity risk. See also “Designing Privacy Policies for Products and Devices in the Internet of Things” (Apr. 27, 2016)

    Read Full Article …
  • From Vol. 2 No.10 (May 11, 2016)

    Managing Risk for the Internet of Things in the Current Regulatory Landscape

    The explosion of the Internet of Things – connected devices from wearables and appliances to cars and sensors – triggers a common refrain among privacy practitioners: technology is rapidly outpacing regulation. As revealed at recent panels during the State of the Net Wireless, the American Bar Association’s Antitrust Law Spring Meeting and the INCOMPAS policy summit, regulators face daunting challenges and companies must be strategic and agile to mitigate IoT risk. Regulators, consultants, policy experts, in-house counsel and others detailed where the regulations stand and how companies can maintain up-to-date cyber defenses while navigating murky legal terrain in a universe where laws and standards are still evolving – and sometimes are nonexistent. See also “Tackling Privacy and Cybersecurity Challenges While Fostering Innovation in the Internet of Things” (May 20, 2015).

    Read Full Article …
  • From Vol. 2 No.9 (Apr. 27, 2016)

    Designing Privacy Policies for Products and Devices in the Internet of Things

    The connectivity of common devices, from watches to refrigerators, brings with it multiplying privacy challenges. Traditional ways of explaining privacy choices do not always work in this space, and manufacturers, consumers and regulators are struggling to find balance between privacy and convenience. Dana Rosenfeld and Crystal Skelton, Kelley Drye & Warren partner and associate, respectively, talked to The Cybersecurity Law Report about challenges and solutions for designing the Internet of Things for privacy. See also “Tackling Privacy and Cybersecurity Challenges While Fostering Innovation in the Internet of Things” (May 20, 2015).

    Read Full Article …
  • From Vol. 2 No.8 (Apr. 13, 2016)

    Securing Connected Medical Devices to Ensure Regulatory Compliance and Customer Safety (Part Two of Two)

    “The risks of cybersecurity are being felt more in healthcare-related companies,” Abhishek Agarwal, chief privacy officer for legal and compliance at a major global healthcare company, told The Cybersecurity Law Report, particularly in the area of connected medical devices. Government, industry and outside counsel experts agree that it is essential to evaluate and monitor cybersecurity vulnerabilities and the potential impacts on patient health and safety from the beginning and throughout a product’s lifecycle to mitigate those risks. This second article in our two-part series explores operational best practices and post-market considerations to address medical device cybersecurity, including the new proposed FDA post-market guidance and adding connectivity to existing devices. Part one examined the development and risks of connected devices and recommended pre-market steps companies should take. See also “Tackling Privacy and Cybersecurity Challenges While Fostering Innovation in the Internet of Things” (May 20, 2015).

    Read Full Article …
  • From Vol. 2 No.7 (Mar. 30, 2016)

    Securing Connected Medical Devices to Ensure Regulatory Compliance and Customer Safety (Part One of Two)

    Along with many industries, healthcare companies are developing an increasing number of devices with internet and network connectivity. Bringing a medical device to market requires a greater level of scrutiny than other connected products, however, because a cybersecurity breach to one of these devices may be life-threatening. “When we look at the product lifecycle management process, privacy and cybersecurity have to be an essential step that is addressed as an integral product feature,” Abhishek Agarwal, chief privacy officer for legal and compliance at Baxter International, told The Cybersecurity Law Report. With input from outside counsel, in-house counsel and regulators, the first article in this series discusses the development and risks of connected devices and recommends pre-market steps companies should take, including questions to ask during a risk assessment and relevant laws and FDA guidance to consider. The second article will explore post-market considerations including breach response, adding connectivity to existing devices, the new proposed FDA post-market guidance and operational best practices. See also “Tackling Privacy and Cybersecurity Challenges While Fostering Innovation in the Internet of Things” (May 20, 2015).
    Read Full Article …
  • From Vol. 1 No.9 (Jul. 29, 2015)

    How to Secure Evolving Mobile Technology and the Data It Collects (Part One of Two)

    Mobile device technology is changing at a rapid pace, as are the ways consumers are interacting with those devices.  This atmosphere is continually creating new cybersecurity and data privacy challenges that demand the attention of retailers, app developers, consumers and regulators.  During a recent panel at PLI’s Sixteenth Annual Institute on Privacy and Data Security Law, Aaron P. Simpson, a partner at Hunton & Williams, and H. Leigh Feldman, global chief privacy officer at Citi, discussed privacy and security issues in the mobile arena.  This article, the first of a two-part series, explains the specific challenges related to mobile and wearable technology and presents best practices for stakeholders as consumers demand control of their information.  See “Tackling Privacy and Cybersecurity Challenges While Fostering Innovation in the Internet of Things,” The Cybersecurity Law Report, Vol. 1, No. 4 (May 20, 2015).  The second article in the series will discuss the complex policy and regulatory landscapes for mobile devices in the U.S. and Europe, including enforcement efforts.  

    Read Full Article …
  • From Vol. 1 No.4 (May 20, 2015)

    Tackling Privacy and Cybersecurity Challenges While Fostering Innovation in the Internet of Things

    The Internet of Things – physical objects with Internet connectivity – provides conveniences and efficiencies for consumers and companies but also security and privacy challenges.  In this interview with The Cybersecurity Law Report, Ed McNicholas, a partner at Sidley Austin and co-chair of the firm’s privacy, data security and information law practice, discusses how companies should address privacy notification with connected devices, the consent issues and cybersecurity threats presented by the Internet of Things, and the movement toward a personalized Internet.

    Read Full Article …
  • From Vol. 1 No.3 (May 6, 2015)

    Top Private Practitioners and Public Officials Detail Hot Topics in Cybersecurity and Best Practices for Government Investigations

    A former federal judge, officials at the Consumer Financial Protection Bureau and the DOJ as well as attorneys from Crowell Moring and Document Technologies Inc. were among the panelists at a recent program hosted by the Practising Law Institute.  The panel covered a broad range of topics including public awareness of data security issues; the scope and operation of government investigations regarding data breaches; practical advice for companies developing data security programs; and recent legal issues and developments related to data security.

    Read Full Article …