Internet of Things and upcoming regulations
We are in continuous “connection”; every action, decision, or even every forecast of our desires, needs, is constantly monitored. The authors of this constant and infinite flow of data are new technologies, social media, e-commerce platforms. We have exchanged our personal data for a bit of comfort, to gain time in an era of constant frenzy. Voice assistants, behind a “good” advertisement, appear as new pets, pets, which actually capture and record every detail of our private lives. This premise aims to introduce to the Internet of Things, IoT, a network of objects equipped with identification technologies, connected to each other, able to communicate, building a huge network of things, in which each is traceable and identifiable.
The first to regulate this network of connected objects was California, with a bill approved last year, which applies to “any device or other physical object capable of connecting to the Internet, directly or indirectly, to which an IP or Bluetooth address is assigned”. This regulation, which will enter into force in January 2020, requires manufacturers (“the person who manufactures or contracts with another person to produce on behalf of the person, connected devices sold or offered for sale in California”) to implement security systems “reasonable”, “appropriate” to the nature of the device, but above all able to protect the information contained therein from unauthorized access, destruction, use, modification or disclosure; in this way, the legislation requires that each device be equipped with a password or preset or generated by the owner, as a condition sine qua non, of initial access. California has included exemptions for entities and business associates covered by the HIPAA, Health Insurance Portability and Accountability Act, as well as “any connected device whose functionality is subject to the security requirements of federal law”. (Since this is where you enter the delicate sphere of medical devices, such as the wireless pacemaker, connected and vital device, the threat of a compromise on cybersecurity remains so real that government agencies such as the American Food & Drug Administration (FDA) are beginning to solve the problem, imposing fines in the face of poor cybersecurity measures in implantable devices).
Also since January 2020, the state of Oregon has enacted an IoT law, but with some small differences: although the reference to the definition of connected devices is almost the same, here there is an exception in reference to those used “mainly for personal, family or domestic purposes”.
Furthermore, here we give a more limited definition of “reasonable security features”, indicating both any means used for external authentication of a local area network, that is:
- a pre-programmed password that is unique to each connected device;
- the requirement for a user to generate a new means of authentication before gaining access to the connected device for the first time;
both compliance with federal laws, which provide, to avoid hacking or cyber attacks, and “a unique pre-programmed password or the requirement that a new user of the device generate a new means of authentication before using the device for the first time, ensures that an intelligent device does not have the same default password as the device of all the others”.
Oregon’s legislation also contains a different definition of “manufacturer”, which here means “a person who produces a connected device and sells or offers for sale the connected device in this state”.
These two are only the first states to apply a first regulation to connected devices, following the enactment, in 2015, by the FTC Federal Trade Commission, of a report that “invited” manufacturers to take proactive measures to protect the privacy of consumers and keep their data secure, strictly applying the Terms of Service (ToS), and making them clear to any buyers of such devices, if they included disclaimers of liability or arbitration clauses to prevent possible class actions for product defects or violations of privacy.
Surely this will raise many problems, either because of a predefined setting of boxes of choice on the various ToS conditions, or if a consumer does not check even one and proves not to accept any clause ToS, generating an objective problem of enforceability of the device purchased!
Moreover, the network of connected devices is expanding, even in the health field, and with it the risk is also growing: if this same connection will allow health professionals to provide more responsive and personalized assistance, it will also make data or devices vulnerable to hackers. It will therefore be necessary to integrate, in principle, the concept of security, ensuring that cryptography is present at every stage with multi-factor authentication. Companies will design their devices as secure and redundant as possible to protect them from ransomware and other attacks; they will need to monitor the length of time patients’ data is retained to ensure that it is immediately deleted or made completely anonymous; they will need to involve and make those patients fully aware of the data they have and how they will use it.
All Rights Reserved
Raffaella Aghemo, Lawyer