On Thursday, June 29, 2017, Sens. Hatch and Markey introduced the "Promoting Good Cyber Hygiene Act" that would direct the National Institute of Standards and Technology (NIST) to establish a set of baseline voluntary best practices for safeguarding against cyber intrusions that would be updated annually. The legislation would also direct the Department of Homeland Security (DHS) to study cyber security threats to internet-connected devices generally referred to as the "Internet of Things." Similar legislation was introduced in the House by Reps. Eshoo and Brooks.
Looking at the first part of the Senate Bill (the NIST directive), the resulting best practices will likely look similar to the guidance currently in place for the federal government and federal government contractors. Having a standard for best practices will have significant impact on both the insurance industry and tort class action suits for breaches.
Turning to the second part of the Senate Bill (the DHS directive), while the legislation would require only a "report" at this time, the Legislature's focus on this issue suggests that DHS's powers may eventually expand to include regulatory authority over devices in your house or private property. Devices such as your smart refrigerator, your vacuum robot and your smart weight scale are examples of devices that comprise the "Internet of Things," (IoT) and these devices can be and have been utilized during cyber intrusions such as denial of service attacks. Finding the right balance between personal privacy and security has always been tricky, and will continue to be so in this space. The one take away from this legislation is that device manufacturers may soon have an additional compliance layer to consider before releasing a product to the public.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
