Laws Governing the Internet of Things (IOT): Addressing New Security Challenges

The IoT Cybersecurity Improvement Act of 2020 affirms the inherent risks and security challenges associated with the accelerated use of technology and devices. The new Act has had a wide impact on the industry and is affecting how Internet of Things (IoT) devices are manufactured and sold across the board.

IoT is no longer an unregulated field as several states have passed IoT-centric cybersecurity laws. For many decades, legislators have had a hard time keeping up with tech innovations. The IoT regulatory environment has now matured. These are the various laws governing IoT and addressing new security concerns related to it.

An experienced and knowledgeable business law attorney can help in identifying and dealing with the various security risks associated with IoT.

Data Privacy Federal Framework (IoT Privacy)

There is no comprehensive federal law in the United States, such as Europe’s General Data Protection Regulation (GDPR) to regulate the use and collection of personal information. This gives rise to several security and privacy concerns. Instead, the country has a patchwork combination of myriad state and federal regulations that frequently contradict and overlap one another.

Having an experienced business law attorney guiding you through the complex structure of IoT laws can help you save a lot of wasted effort, time, and money. There are several specific US laws that restrict industry sectors and their related markets. Vendors that don’t have the resources to meet these restrictions are unable to venture into highly profitable contracts.

For instance, the healthcare technology industry is regulated by the provisions listed under the Federal Exchange Data Breach Notification Act of 2015 and the Health Insurance Portability and Accountability Act of 1996 (HIPAA). In fact, HIPAA lays down the national standards for the protection and privacy of healthcare information whereas the Federal Exchange Data Breach Notification Act details the strict rules for notifying individuals about any compromised health insurance information.

All medical devices with access to personal information are required to follow these legislations. This holds true for the Internet of Medical Things – IoMT too. You should speak with a trusted business law attorney to protect your client’s data and find the best way of intimating a security breach.

IoT Cybersecurity Improvement Act

The 2019 IoT Cybersecurity Improvement Act was introduced by the House of Representatives (H.R. 1668) and the US Senate (S.734.) The Bill lays down basic security standards for connected devices used by the federal government. In relation to this, the private sector is not directly regulated by the IoT Cybersecurity Improvement Act, which slows innovation.

This is a bipartisan piece of legislation aimed at leveraging Federal Government procurement. It increases cybersecurity and has put basic security measures in place for IoT devices. The National Institute of Standards and Technology (NIST) is authorized under the Bill for overseeing IoT risks purchased by the federal government.

The Bill requires all purchases made by the federal government to comply with NIST recommendations. Any manufacturer that fails to adopt the mentioned guidelines can be turned down for federal government tenders. IoT device manufacturers are called upon to adopt coordinated disclosure policies as well. Currently, the security protections and features are left to the discretion of vendors and manufacturers, except in Oregon and California.

IoT Cybersecurity Laws in California and New York

In 2020, the California legislature made a new IoT security law effective through SB 1121 called the California Consumer Privacy Act. This is the first IoT security law in the United States and applies to all companies operating in California. The Bill is aimed at enhancing consumer protection and privacy rights for residents of the Golden State.

The California Privacy Rights Act (CPRA) came into effect on January 1, 2023, to protect the rights of all consumers making use of IoT devices and technology. This is a supplement to the California Consumer Privacy Act (CCPA). The CPRA highlights California’s position as a frontier in terms of data security and privacy legislation. It significantly expands on the existing legislation by creating a new series of amendments.

In essence, the CCPA creates new rights for California residents and expands on existing ones. The CRPA has created a new category under the CCPA for including personal and sensitive information. Biometric data, including sexual orientation, race, ethnicity, geolocation, religious belief, and Social Security Number are not added to the sensitive information group.

New York State has taken stock of lagging data security and privacy provisions. It now stands beside California with the SB S55575B, called Stop Hacks and Improve Electronic Data Security Act (SHIELD Act.) The Bill requires all NY residents to be protected by a cybersecurity program and other protective measures.

Compliance with these laws comes with strict enforcement. IoT manufacturers need to take these new laws into account.

Get a Reputable Business Law Attorney on Your Side

The seasoned business law attorneys at the BHM Law Group have years of experience in providing solid legal advice and help to clients. Our streamlined and innovative practice has helped entrepreneurs and companies across different verticals. Schedule a consultation with our lawyers today. Call us at (205) 994-0902 or contact us online.