The “Internet of Things” (IoT)—the network of consumer devices connected to the Internet through digital connections and sensors—has dramatically grown over the past five years. A McKinsey analysis estimated that the potential annual economic impact of IoT in 2025 could be between $4 trillion and $11 trillion, with value accruing in manufacturing, urban spaces, human wellness, retail, autonomous vehicles, homes, and other sectors. An analysis by Gartner, Inc. estimated that in 2018, nearly 11.2 billion connected things will be in use globally, and that this figure will surpass 20 billion by 2020.

IoT already has global reach. Nearly one-third of the overall installed IoT base is located outside China, North America, and Western Europe. And although IoT use will continue to grow in commerce and industry, more than 63% of IoT-connected units are already available on the consumer market. Some “smart” consumer products—such as fitness monitors, wearable devices, smart thermostats, and smart TVs—are well-established. In the coming years, connected devices will continue to expand in other categories, including kitchen appliances, toys, and medical devices, among many others.

With the tremendous economic and social impact of connected products, systems, and devices comes a more intensive focus on the legal risks of misuse, defects, and malfunctions. IoT has the potential to make products and services safer (in such diverse areas as consumer products, railroads and food), to reduce workplace hazards, and to improve patient safety and reduce preventable errors in hospitals. Connections to the internet, however, also can introduce new vulnerabilities in the consumer market and in infrastructure, if not properly secured. Manufacturers, retailers, consumers, and regulators are increasingly focused on the consumer safety, security, and privacy implications of connected products.

Three recent events further propelled IoT safety, security, and privacy into the regulatory spotlight, all occurring in the first three months of 2018:

  • Cybersecurity firm Avast demonstrated that vulnerable Internet-connected devices could be commandeered by hackers and used to “mine” (generate) cryptocurrency. The firm estimated that 15,000 connected devices, if commandeered, could yield $1,000 every four days.
  • Cybersecurity firm ZingBox released a report shedding light on vulnerabilities in the healthcare context, particularly in hospitals. Among security issues, the company estimated that “user practice issues” (poor security practices) made up 41% of security threats; outdated operating systems and other software made up 33% of threats, with other vulnerabilities (including weak passwords) also playing a significant role. The report estimated that imaging systems and patient monitors were most vulnerable. The good news is that vulnerabilities in connected medical devices can be mitigated; the report advises healthcare providers to focus on “real-time visibility into device deployment and inventory” and enforce appropriate-use policies to “greatly reduce the exposure to rogue applications and lateral movement of infection.”
  •  In January, VTech Electronics Ltd.—which makes “electronic learning products” aimed at children between zero and nine years old—settled a complaint brought by the Federal Trade Commission. The FTC alleged, among other things, that the company violated the Children’s Online Privacy Protection Act (COPPA) by “collecting personal information from children without providing direct notice and obtaining their parent’s consent, and failing to take reasonable steps to secure the data it collected,” which led to a November 2015 hack in which the hacker penetrated the company’s computer network “by exploiting commonly known and reasonably foreseeable vulnerabilities” and stole personal information about children and parents.

How have regulators reacted to these new issues? In the first few months of 2018, comments from authorities in the U.S. and Europe show more attention being paid to IoT than ever before:

  • In her keynote address at the annual meeting of the International Consumer Product Health and Safety Organization (ICPHSO) in February, Consumer Product Safety Commission Acting Chairman Ann Marie Buerkle said that the CPSC has jurisdictional authority over IoT vulnerabilities that create a risk of physical harm, but not IoT vulnerabilities that are limited to privacy or information security alone. The CPSC also plans to hold a public meeting on IoT in May.
  •  As reported last week in another Covington Internet of Things Update, the U.K. government in March released a white-paper report, Secure by Design, Improving the Cyber Security of Consumer Internet of Things Report, on consumer IoT.  The report proposes an industry “Code of Practice for Security in Consumer IoT Products and Associated Services,” which the U.K. government aims to finalize by summer 2018.  The report identifies 13 specific points of guidance for industry, and names the top three priorities as (1) requiring all IoT devices to have unique passwords that are “not resettable to any universal factory default value”; (2) requiring companies to “provide a public point of contact as part of a vulnerability disclosure policy in order that security researchers and others are able to report issues” and to timely respond to known vulnerabilities; and (3) promoting timely security software updates and publishing clear “end-of-life” policies informing consumers of the time when security support for a given device will end.
  • Last September, the European Commission proposed a Regulation on Cybersecurity that would introduce a voluntary cybersecurity certification framework to be overseen by the E.U.’s Agency for Network and Information Security (ENISA). The proposed Regulation establishes the primacy of European cybersecurity certification schemes over E.U. Member State schemes. Under the proposal, adopted European cybersecurity certification schemes would supersede all existing parallel EU Member State schemes for the same information and communication technology products or services at a given level of assurance. This would bring further clarity, reducing the current proliferation of overlapping and possibly conflicting national cybersecurity certification schemes. The proposal provides that the E.U. schemes would be voluntary (once a product voluntarily complies with a scheme, Member States would accept it as compliant). However, in practice the schemes could become mandatory E.U. standards. The European Parliament and Council must now consider the proposed Regulation for adoption and may introduce significant amendments. The proposed Regulation could enter into force by late 2019.
  • Connected devices have been on the radar of the U.S. Federal Trade Commission since at least 2013, when it held an IoT workshop, but the FTC has shown little appetite for regulation to date. FTC Acting Chairman Maureen Ohlhausen said last year that the IoT industry should adopt voluntary best practices, with the FTC taking a more reactive, rather than proactive role, intervening only if a “harm manifests.” This approach echoes the software industry’s pushback against regulation. The head of a major software trade association recently argued that the industry should be left to develop autonomously, with “enforcement actions only in cases where there is actual, concrete harm.” Consumer advocates, meanwhile, have pushed the FTC for greater action on IoT privacy.

2018 is shaping up to be a pivotal year in IoT regulation. Interested stakeholders—whether manufacturer, supplier, or end-user—should keep a close eye on new legal and regulatory developments. Covington’s Internet of Things Blog posts will continue to monitor developments and report on future key consultations, analysis and insights here.

Photo of Sarah Wilson Sarah Wilson

Sarah Wilson is a litigation and investigations partner who chairs the firm’s market-leading Product Safety Practice Group. Her clients include the world’s largest global consumer and commercial products manufacturers across a range of industries, including consumer packaged goods, automotive vehicles and equipment, aviation…

Sarah Wilson is a litigation and investigations partner who chairs the firm’s market-leading Product Safety Practice Group. Her clients include the world’s largest global consumer and commercial products manufacturers across a range of industries, including consumer packaged goods, automotive vehicles and equipment, aviation, electronics, life sciences, and information technology. Sarah has successfully represented clients in the largest recalls and safety-related investigations in recent history, including airbags, fire extinguishers, single load liquid laundry packets, toxic chemicals in household products, lithium-ion battery-powered laptops, car seats, and electric bikes and scooters. Sarah assists clients in developing cutting edge recall policies, compliance program enhancements, and voluntary safety standards.

Prior to joining Covington, Sarah served in several high-ranking federal government positions, including as a federal judge on the U.S. Court of Federal Claims, as Senior and Associate Counsel to the President, and as a Deputy Assistant Attorney General and Trial Attorney in the Department of Justice.

Photo of Laura Kim Laura Kim

Laura Kim draws upon her experience in senior positions at the Federal Trade Commission to advise clients across industries on complex advertising, privacy, and data security matters. She provides practical compliance advice and represents clients in FTC and State AG investigations. Laura advises on…

Laura Kim draws upon her experience in senior positions at the Federal Trade Commission to advise clients across industries on complex advertising, privacy, and data security matters. She provides practical compliance advice and represents clients in FTC and State AG investigations. Laura advises on a wide range of consumer protection issues, including green claims, influencers, native advertising, claim substantiation, Made in USA claims, children’s privacy, subscription auto-renewal marketing, and other digital advertising matters. In addition, Laura actively practices before the NAD, including recent successful resolution of matters for both challengers and advertisers. She is the Chair of Covington’s Advertising and Consumer Protection Investigations Group and participates in the firm’s Internet of Things Initiative.

Laura re-joined Covington after a twelve-year tenure at the FTC, where she served as Assistant Director in two divisions of the Bureau of Consumer Protection, as well as Chief of Staff in the Bureau of Consumer Protection and Attorney Advisor to former Chairman William E. Kovacic. She worked on key FTC Rules and Guides such as the Green Guides, Jewelry Guides, and the Telemarketing Sales Rule. She supervised these and other rule making proceedings and oversaw dozens of the Commission’s investigations and enforcement actions involving compliance with these rules. Laura also supervised compliance monitoring for companies under federal court or Commission order.

Laura also served as Deputy Chief Enforcement Officer at the U.S. Department of Education, where she helped establish a new Enforcement Office within Federal Student Aid. In this role, she managed investigations of higher education institutions and oversaw issuance of fines and adverse actions for institutions in violation of federal student aid regulations. Laura also supervised the borrower defense to repayment division and the Clery campus safety and security division.