In March 2018, the Consumer Product Safety Commission (CPSC) issued a Notice of Public Hearing and Request for Written comments on The Internet of Things on Consumer Product Hazards. The CPSC expressed interest regarding existing safety standards on existing IoT devices, how to prevent hazards, and the role of government in the effort to promote IoT safety.
The Federal Trade Commission voted to authorize its Bureau of Consumer Protection to submit comments. In particular, the FTC staff comment addressed the following issues:
- Best practices for predicating and mitigating against safety hazards.,
- How the CPSC can encourage consumers to sign up for safety alert and recall information.
- The appropriate role of government in promoting IoT Safety.
The FTC staff’s recommended guidance for IoT Safety is similar to the business guidance it has provided regarding data security and privacy – that is there is no one size fits all. Specifically, the comment suggested that companies conduct a risk assessment, engage in service provider oversight, and implement an ongoing process to keep up with best security practices.
According to the FTC, the starting point should be a risk assessment to help identify reasonably foreseeable threats and hazards and solutions for mitigating against such threats. One example of a reasonably foreseeable risk is that hackers can compromise the credentials to take over IoT devices. To address such a risk, the FTC recommends that companies test authentication techniques and consider when multi-factor authentication makes sense. In addition, the FTC has recommended that security measures be tested before a product is launched.
Second, the comment notes that IoT devices often involve a variety of software and hardware components. Accordingly, IoT manufacturers would be well served to take reasonable steps to ensure that their service providers and others engage in reasonable and responsible data security practices, including the assessment of supply-chain risks and the oversight of vendors.
Third, with respect to data security, it is imperative that companies have an ongoing process to keep up with security practices, safety hazards and other threats. Specifically, the comment recommends that companies stay abreast of what is happening in the marketplace generally and to keep a careful eye on what happens with IoT products after launch.
The comment notes that while there are times when manufacturers can update some devices automatically, many devices require that consumers take affirmative steps to install patches, and there are a variety of challenges associated with getting information to consumers when updates are required. The FTC suggests that that the CPSC consider borrowing from its existing process of allowing consumers to sign up for safety notifications with respect to infant and toddler products. This process requires manufacturers and retailers of such products to provide consumers with a safety registration card for mail-in registration. The comment suggests that the CPSC consider establishing an online registration process and with respect to the timing of releasing security patches, it recommends “companies should provide patch vulnerabilities in security-only updates when the benefits of more immediate action outweigh the convenience of bundling the security update with a functionality.
The comment notes that at the hearing many panelists suggested that regulation was needed to establish IoT specific standards. While the FTC comment does not take a position on this issue, it did recommend that to the extent the CPSC consider such regulations that they be technology-neutral and sufficiently flexible so as to not become obsolete as technology and cyber threats evolve. In addition, to the extent the CPSC considers certification requirements for IoT devices, the FTC staff recommends that the CPSC consider requiring manufacturers to publicly set forth the standards to which they adhere which improves transparency and gives consumers the opportunity to evaluate the safety and security of IoT devices. The FTC staff comment is consistent with the approach the FTC has taken with privacy and security generally.