Follow ACC Docket Online:  

This Week in Privacy: What Is the New IoT Cybersecurity Bill?

"This Week in Privacy” is a new column for in-house counsel who need advice in the privacy and cybersecurity sectors. K Royal is a director at TrustArc. To have your legal privacy questions answered, email ms.kroyal@gmail.com with “This Week in Privacy" in the subject line.


Q: What is the new Internet of Things cybersecurity bill?


A: The Internet of Things (IoT) can broadly be described as devices that are connected to the internet. This may be one device or a compilation of devices ranging from TVs to baby monitors, and from toys to cars. It is estimated, perhaps conservatively, that the IoT market will grow to over 20 billion devices globally in the next three years (2020 is just around the corner). This comprises devices that are consumer, cross-industry, and vertical market specific.  

The threshold to enter the IoT market is low — anyone with the knowledge and ability to create a “thing” that is connected can do so. Thus, the standards for these devices is almost non-existent and certainly not mandated. If there is a security breach or an issue (e.g., Vizio TV’s breach, the IoT security breaches on half of US companies, or when the internet went down due to hacks on toasters), it is unlikely that all of the IoT vendors could be held accountable, simply due to the limitations of their resources.

The new bill — the Internet of Things (IoT) Cybersecurity Improvement Act of 2017 — promulgates rules for government vendors to provide security on IoT devices, such as no hard coded passwords and the ability to patch vulnerabilities. This bill is in direct response to IoT breaches, such as those listed above. The bill also provides exemptions for cybersecurity researchers (hackers), who would otherwise engage in unlawful activity (this has been needed for a while as there is a significant advantage with “white hat hackers”).

About the Author

K Royal is the technology columnist for ACCDocket.com, and director at TrustArc. @heartofprivacykroyal


The information in any resource collected in this virtual library should not be construed as legal advice or legal opinion on specific facts and should not be considered representative of the views of its authors, its sponsors, and/or ACC. These resources are not intended as a definitive statement on the subject addressed. Rather, they are intended to serve as a tool providing practical advice and references for the busy in-house practitioner and other readers.