Regulating the Internet of Things (“IoT”) is a highly debated topic because it is hard for lawmakers to keep up with evolving technology. Simply put, IoT refers to a system of connected devices that can retain, analyze, and transfer information through a network. Examples of “things” include fitness trackers, smart phones, smart appliances, heart monitors, and automobile sensors. This concept is much more complex from a technical standpoint because the operational aspects of these devices are constantly changing and increasing the amount of data that is generated.
Organizations favor IoT because it helps improve internal and external business operations, reduces costs, and enhances analytical capabilities. While these benefits are great, data transmitted over IoT is unfortunately vulnerable to hacking. This raises security and privacy concerns that have yet to be firmly addressed by lawmakers. Business and legal professionals have mixed feelings about whether IoT should be regulated and if so, whether regulation would even be successful.
What are the Pros and Cons?
There are convincing reasons why there should be some degree of IoT regulation. Below are some regulation pros:
-
Regulation would help avoid security breaches. Many devices lack sufficient security safeguards that leave them open to attack. Because of the connectivity on IoT, hacking one device can harm a multitude of devices and data. Manufacturers of IoT devices would greatly benefit from having clear rules outlining what is needed to prevent security breaches.
-
Privacy concerns would be formally addressed. Many users store personal identifying information on their devices. If security standards are tightened, this private information would be better protected across the board. Additionally, having laws that would penalize organizations for not protecting private information would help to prevent public disclosure of private information.
Looking at this issue from the opposite side, there are potential IoT regulation roadblocks. Below are some cons that make people skeptical about regulation:
-
This technology is constantly changing. Technology advances every day, which makes it hard to regulate. Lawmakers move at a much slower pace because they carefully analyze proposed legislation before passing it into law. This creates the risk that a regulatory scheme may be rendered irrelevant to current technology by the time in becomes enforceable law.
-
Some people view government regulation as improper. Along with concerns that regulation is not feasible, there is also a fear that once regulation begins, IoT could become over-regulated and no longer function in the same manner.
What is the Current State of IoT Regulation?
While the FTC has issued security guidelines and other laws may apply to certain aspects of IoT devices, there are currently no concrete laws that specifically apply to IoT. There are however three pending regulatory programs on the table: The Cyber Shield Act of 2017, The Internet of Medical Things Resilience Partnership Act of 2017, and Cybersecurity Improvement Act of 2017. The first two bills propose programs where participation is voluntary. While both of these bills outline standards that would improve the quality and security of devices, there is no guarantee that companies will actually participate in the programs, which makes voluntary legislation less appealing.
The Cybersecurity Improvement Act is probably the only pending legislation that has a chance of becoming an effective law. However, the reach of this law would still be limited because it only covers companies that contract with the government to purchase their IoT devices. The devices will have to meet several criteria and are subject to monitoring and oversight by the Office of Management and Budget. All of this will help to strengthen cybersecurity and address privacy concerns.
It is unknown whether any of these bills will pass into legislation and what the timeframe would be for program implementation. While IoT security definitely needs to be addressed, the underlying concerns remain and will likely make it difficult to carry out these regulations. Lawmakers may want to provide more authority to the FTC or even explore the structure of the GDPR laws in Europe to determine if any of the framework could work with U.S. regulations.
