Skip to content

Discerning Data

  • About Us
  • Additional Resources
  • Contact Us

DISCERNING DATA

A Faegre Drinker Blog Covering the Latest in Privacy, Cybersecurity and Data Strategy
  • Privacy
  • Cybersecurity
  • Data Strategy
  • Disruptionware

Pending IoT Legislation Would Impose Significant Obligations on Manufacturers

Share

With the House and Senate returning to Washington in September, two recently-introduced Senate bills seek to address perceived vulnerabilities in the security of Internet of Things (IoT) devices sold to the federal government and medical devices which regularly connect to the Internet.

Among the key takeaways in the legislation:

  • Legislation covers both products sold to the federal government and medical devices;
  • Legislation addresses “life of device” obligations of IoT device manufacturers;
  • Disclosure and Certification Requirements could create additional liability for manufacturers of Internet of Things devices.

First, Senators Mark Warner, Cory Gardner, Ron Wyden and Steve Daines introduced the “Internet of Things Cybersecurity Improvement Act of 2017” in August to address concerns that IoT devices procured by the federal government may lack basic cybersecurity protections.  Noting that there will likely be more than 20 billion IoT devices by 2020, the legislation will require manufacturers to make certain commitments and provide disclosures regarding their products both during and after the federal procurement process.

Specifically, the proposed legislation requires vendors to certify that the IoT devices being sold to the federal government do not contain any known vulnerabilities; rely on standard protocols; do not have hard-coded passwords; and are patchable.  The legislation creates limited exceptions for agencies to use when their preferred devices are unable to meet these standards, so long as the standards which are adopted by the agencies ensure an equal or greater level of security.  The legislation also requires that OMB prepare a report after five years summarizing the effectiveness of the legislation and suggesting any recommended revisions.

Additionally, Senator Richard Blumenthal introduced legislation before the August recess targeting medical devices which incorporate Internet connectivity.  Acknowledging that medical devices contain a wealth of confidential patient information, the legislation requires the creation of a “cyber report card” which would provide the public with information regarding the device’s cyber capabilities, information from testing and risk assessments and provide the user with information to use the device in a secure manner.

The legislation also requires the manufacturer to provide future security patches and updates free of charge, and establish guidelines for the recycling/disposal of devices (and the data contained therein) at the end of the device’s life.  Finally, the legislation tasks the Department of Homeland Security to work with other government agencies, manufacturers, healthcare providers, and patients to investigate and respond to cybersecurity incidents.

Several other legislative proposals have been introduced during this year’s Congress to address IoT, telemedicine and cybersecurity issues.  It is likely that these proposals will need to be combined into comprehensive legislation if any of these efforts will be successful.  However, the prospects of anything passing this year are uncertain, and the specific protections and obligations will likely change before any bill that advances actually becomes law.

The material contained in this communication is informational, general in nature and does not constitute legal advice. The material contained in this communication should not be relied upon or used without consulting a lawyer to consider your specific circumstances. This communication was published on the date specified and may not include any changes in the topics, laws, rules or regulations covered. Receipt of this communication does not establish an attorney-client relationship. In some jurisdictions, this communication may be considered attorney advertising.

Receive Email Alerts to New Articles

SUBSCRIBE

September 11, 2017
Written by: Discerning Data Editorial Board
Category: Cybersecurity, Health Care, OMB
Tags: IoT, Manufacturing, Medical Devices

Post navigation

Previous Previous post: White House Issues ATC Report and Seeks Comments on IT Implementation Plan
Next Next post: The FTC’s First Privacy Shield Enforcement Actions

Search the Blog

Sign Up for Email Alerts

PODCASTS

Faegre Drinker on Law and Technology

©2023 Faegre Drinker Biddle & Reath LLP. All Rights Reserved. Lawyer Advertising.

  • About Us
  • Additional Resources
  • Contact Us
We use cookies to improve your experience with our website. By browsing our site, you are agreeing to the use of cookies. For more information about how we use cookies, please review our privacy policy and cookie policy. OK
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT