The IoT Security Law

Daniel Pepper, partner at the law firm BakerHostetler, explained that the new law obliges companies building connected products to implement “reasonable security features” on said products.

However, he pointed out that the definition of reasonable is vague (registration required), but the law does consider the device’s function and the type of data it collects when determining how reasonable those security features are. The law also calls for devices that connect to the internet to have a unique password and to require that a user generate a new password or method of authentication when they fire up the device for the first time. For reference:

In fact, the definition of connected device is quite broad. Under the definition, a connected device is any device or “other physical object” that can connect to the internet (even by being paired with another device) and assigned an IP or Bluetooth address.

Securing the Global IoT

Rauscher argues that IoT security should be a joint effort. She added that the rapid increase of smart devices and lack of regulation until now have created precise conditions for attackers to break into home networks through doorbells, thermostats or baby monitors. Manufacturers must now make IoT devices with the highest possible security measures built in and make it easy for consumers to change passwords and update firmware.

Consumers however also need to do their part and must learn how they can protect themselves, and ISPs need to protect the gateways to home networks. Part of being ready for the legislation also means that companies consider the longevity of smart devices and the ability of manufacturers to provide security updates in a timely manner.


See the full article at: