Four United States Senators introduced bipartisan legislation this week that would improve the cybersecurity of Internet-connected devices purchased by the federal government. The Internet of Things Cybersecurity Improvement Act of 2017 (which was drafted with input from several security and technology companies) would require companies selling IoT devices to the government to implement specific security standards, including ensuring their devices: (i) do not have any known security vulnerabilities, (ii) do not use hard-coded passwords that cannot be changed, (iii) rely on industry standard protocols, and (iv) are patchable if security is compromised. (IoT devices with limited data processing and software functionality would be subject to alternative requirements to be developed by the Office of Management and Budget.)  The proposed legislation would also require (among other things) the Department of Homeland Security to issue additional guidelines regarding vulnerability disclosure policies applicable to companies selling IoT devices to the federal government.

The legislation could certainly create both additional opportunities and additional responsibilities for companies selling IoT devices to the government (even if some of those opportunities may be delayed as the government determines which devices are acceptable under the new standards).  But this legislation should also be of interest to any company that buys or sells IoT devices. 

Although Congress has not specifically regulated cybersecurity requirements for IoT, the FTC, FDA, and other regulators are active. For example, the FTC has pursued claims against TRENDnet and D-Link (2013 and 2017 respectively) for cybersecurity issues and/or information sharing problems with baby monitors. Now, this new legislation would impose specific requirements on companies selling IoT devices to the federal government. This legislation, however, may also have a trickle-down effect and improve the security of Internet-connected devices sold to American businesses and consumers as well. Many of the same IoT devices sold to the government are also sold to businesses or individual consumers, so any improvement to the security of those products would theoretically apply to all customers. There is the possibility, moreover, market forces would begin to expect all companies to adopt some or all of these security measures, regardless of the intended customer or end-user.

Ice Miller will be monitoring this proposed legislation and analyzing its potential impact on companies that sell (and purchase) IoT devices. Additional developments will be published here on Ice Miller's blog.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.