trending Market Intelligence /marketintelligence/en/news-insights/trending/ecvtebvdtf2psrno2299pw2 content esgSubNav
In This List

As federal internet of things legislation proves elusive, US states push ahead

Podcast

Next in Tech | Episode 50: InfoSec spending up, again…

Blog

Broadcast deal market recap 2021

Podcast

Next in Tech | Episode 49: Carbon reduction in cloud

Blog

Price wars in India: Disney+ Hotstar vs. Amazon Prime Video vs. Netflix


As federal internet of things legislation proves elusive, US states push ahead

As connected devices proliferate, U.S. federal and state legislators are grappling with how to regulate the rapidly evolving internet of things for security and privacy concerns.

Given the billions of connected devices and a lack of codified industry standards for IoT, some cybersecurity experts advocate broad controls that protect data across a range of sectors and devices, like Europe's recently enacted General Data Protection Regulation. However, others warn that a broad approach to data privacy and regulation could stifle innovation, particularly in the IoT sector, where many devices depend on free access to consumer data to improve the interactive experience.

"There is a greater understanding and sense of urgency amongst all regulators globally for protecting consumer data," said Sean McDevitt, a partner at Arthur D. Little who serves on the strategy consulting firm's Telecommunications, Internet, Media, and Electronics Practice, in an interview.

Yet despite that sense of urgency, he said "the governance framework around IoT [is] and will be evolving for some time," bogged down by policy that generally cannot match the pace of innovation in a rapidly evolving market.

SNL Image

At the federal level, a handful of pending bills are aimed at addressing this challenge. Among the most recent is a draft bill known as the State of Modern Application, Research and Trends of IoT, or the SMART IoT Act, that would direct the Secretary of Commerce to compile a comprehensive survey of internet-connected devices across the public and private sectors. The U.S. House Subcommittee on Digital Commerce and Consumer Protection on May 22 reviewed the draft legislation in a hearing that highlighted the ongoing debate about how to balance protecting consumers with promoting innovation. Some earlier bills that were introduced in either the House or Senate went further, proposing standards for IoT devices sold to consumers or purchased by the federal government. To date, none of those bills have been signed into federal law.

One of the major questions the SMART IoT Act hopes to help answer is which regulatory agency is or should be regulating specific IoT applications. Today, IoT applications such as smart cars or connected medical devices can be subject to the jurisdiction of multiple federal agencies, leading to overlapping or sometimes inconsistent regulation.

Center for Internet Security Senior Vice President and Chief Evangelist Tony Sager said the problem of varying regulatory oversight leads to inefficiencies for the industry "because they have to spend all their energy replying to the safety people, the security people, the government regulator." The Center for Internet Security is a nonprofit that works to develop industry-led standards for cybersecurity.

The confusion over agencies' roles is also seen in the pending federal IoT bills. The House's Securing IoT Act envisions the Federal Communications Commission developing cybersecurity standards, for instance, while the Senate's IoT Consumer TIPS Act would have the Federal Trade Commission creating IoT cybersecurity resources for consumers.

"In the U.S., FTC has typically taken the lead in consumer data protection and privacy issues," McDevitt said, though he noted that the agency is somewhat limited by the fact that nearly all FTC enforcement actions occur "post 'bad behavior'" and rely on authority created for a "different market structure."

Another question for IoT legislation is how targeted it should be. Sager said there is "no appetite" at the congressional level for specific rules that could be construed by the business community as being anti-consumer or anti-innovation. Without a broad federal law as a guideline, he expects various agencies and state governments will develop their own cybersecurity guidelines for IoT and other data-driven technologies.

"We all agree we need to do something," he said.

Coordination between the public and private spheres will be essential to avoid creating unintended consequences, Sager said. "If we do not do that then ... we're just driving up costs and complexity for our society," he said.

At least 42 states introduced more than 240 cybersecurity bills in 2017, according to the National Conference of State Legislatures, or NCSL. California State Assemblywoman Jacqui Irwin, D-Thousand Oaks, the co-chair of the NCSL's Task Force on Cybersecurity, said she and her colleagues host a quarterly working group in an effort to maintain consistency in cybersecurity efforts across state lines and thus ease the burden on companies that operate in multiple states.

Irwin said she is attempting to craft policy that can easily be used as a standard by other states and potentially the federal government. Most recently, Irwin introduced a bill that would require a unique preprogrammed or user-generated password for all connected devices. The U.S. Computer Emergency Readiness Team previously identified connected devices relying on default passwords as a high security risk.

Irwin said the goal of her legislation, which has been approved by the California Assembly and is awaiting a vote in the state Senate, is to get companies to prioritize cybersecurity, "to make sure as you're developing these game-changing applications you also think about how to make sure these devices don't get hacked."

She added, "What you really hope is that the industry also self-regulates and realizes that, if you are acting responsibly and you don't have these big breaches, there's no need to step in with legislation."