What you’ll learn:
- Insight into IoT technologies.
- What government laws are being implemented and enacted to protect devices and consumers?
- What the future holds for IoT security.
The Internet of Things (IoT) can trace its origins back to the early 1980s, when Carnegie Mellon computer scientists modified a Coke machine that could report how many sodas were in the machine and whether the beverages were cold or warm. It was the first ARPANET-connected vending machine and a precursor to the IoT devices, connected appliances, and smart homes that we’re all familiar with today.
The IoT continues to grow and evolve, incorporating the latest technologies to bring new features and efficiencies for a multitude of applications ranging from home-automation systems to wearable medical devices. According to Forbes, 207 billion devices will connect to the worldwide network by the end of 2024, and those numbers are expected to grow over the coming decade.
This dynamic entity of smart technology will continue to permeate our daily lives and integrate into nearly every industry. And as its widespread adoption continues to grow, it raises crucial considerations regarding privacy, cybersecurity, and consumer protections.
In response to those concerns, countries around the world and their respective governments are enacting laws and regulations to address the challenges brought by IoT technologies and networks. Those governments are laying the foundations deemed necessary to establish standards, guidelines, and safeguards to ensure the security and integrity of those technologies and the people who use them. Like it or not, IoT laws will play a pivotal role in shaping IoT’s future.
U.S. IoT Regulations: FCC Initiatives and Consumer Protections
In the U.S., the Federal Communications Commission (FCC) recently approved a voluntary IoT Labeling Program that allows manufacturers to earn the FCC’s approval to display a “US Cyber Trust Mark” on products that meet the standards of the program. It aligns with trends in Europe and Asia, which have already begun to establish similar IoT laws and regulations. The program will initially be open to manufacturers of wireless products, such as appliances, TVs, climate control devices, wearable medical devices, and trackers.
While the FCC’s program is voluntary, there are no provisions for liabilities. That means manufacturers looking to participate should consider the potential legal ramifications in the event of cybersecurity attacks.
The FCC created the Labeling Program in response to the overwhelming adoption of IoT devices over the last decade, noting that these products are essential in the daily lives of the U.S. population and, as such, are subject to cybersecurity attacks. Their program aims to provide assurance for consumers and allow them to make informed decisions about those products before buying them.
It should be noted that no comprehensive U.S. federal law currently exists to regulate the collection and use of personal information when it concerns consumer privacy data. However, there are protections for healthcare (Health Insurance Portability and Accountability Act), financial services (Gramm-Leach-Bliley Act), and children (Online Privacy Protection Act). Congress did put forth a bill, H.R.1668 - IoT Cybersecurity Improvement Act of 2020, that provides cybersecurity protections for IoT devices employed by federal agencies, which was signed into law with bipartisan support at the end of the Trump Administration.
In addition, “recommendations” published by U.S. government entities, such as the Federal Trade Commission (FTC), outline steps businesses can take to protect consumer privacy and security regarding IoT devices. In terms of laws for the consumers themselves, the FTC states, “Regarding legislation to regulate IoT, this report concluded it was too early for specific regulation, pushing instead for broad-based privacy legislation at a federal level.”
The report was published in January 2015, nearly a decade ago, when there were 3.6 billion connected IoT devices in use around the globe, as opposed to the staggering 17.08 billion in use today (2024). The FTC is currently supporting the IoT Labeling Program and advocating for increased security for manufacturers and consumers who use their products.
Recent EU and UK Laws for IoT Device Protection
Other countries around the globe are implementing IoT laws for consumers as well, including the UK, which became the first country to legally mandate cybersecurity standards for IoT devices. The new laws, which launched in April (2024), look to shield consumers from cyberattacks and bolster the country’s resilience against cybercrimes.
The UK Product Security and Telecommunications Infrastructure (Product Security) regime mandates that “manufacturers will be legally required to build security protections into any product with internet connectivity.” What’s more, easily guessed passwords, typically installed by the manufacturers as a default, will be banned to prevent vulnerabilities.
Beyond those two laws, the new regime requires UK manufacturers to publish vulnerability disclosure policies for reporting security flaws, state minimum periods for delivering security updates, and provide mechanisms for securely updating software.
The European Union (EU) has also taken measures to create protection laws for IoT devices with the Cybersecurity Act and the proposed Cyber Resilience Act, a pair of legislative frameworks designed to enhance cybersecurity and digital resilience. The Cybersecurity Act was enacted into law in 2019 and “establishes a permanent mandate for the E.U. Cybersecurity Agency (ENISA) and introduces an EU-wide cybersecurity certification framework for digital products, services, and processes.”
The Cyber Resilience Act, set to launch this year (2024), pushes those protections further. It focuses on products with digital elements and seeks to improve their security throughout their lifecycle, including everything from design and development to maintenance and disposal.
Laws to Bridge the Gap Between Innovation and Security
The IoT has transformed beyond simple connected devices to become advanced technologies we take advantage of on a daily basis, progressing from simple vending machines that can take note of stock to AI-driven autonomous vehicles. As the IoT continues to expand, it becomes increasingly important to address the challenges associated with privacy, cybersecurity, and consumer protection.
Governments worldwide have recognized a need for IoT laws and regulations to protect users and safeguard against cyberattacks that could cripple those devices and the networks they use. In the U.S., the FCC has taken steps to implement mitigations against intrusions and data theft with its IoT Labeling Program while bolstering the security of federal agencies and the devices they employ. Though the program is a step in the right direction, more needs to be done before consumer devices can be secure.
Countries in the UK and EU stepped up their game to protect their citizens with comprehensive solutions that target the devices themselves, providing security at the local level, while the EU put forth laws implementing digital resilience and certification frameworks. No matter the country, IoT laws and regulations are necessary for the continued development and deployment of existing and future IoT technologies, which must bridge the gap between innovation and security.
