As a part of its Cybersecurity for IoT Program, NIST recently released two publications with the goal of providing cybersecurity guidance and best practices specific for companies manufacturing IoT devices. These publications were developed as a part of NIST’s implementation of the 2017 Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure. With these publications, NIST provides a set of recommended activities that manufacturers should consider to improve the securability of IoT devices, as well as a baseline level of security requirements for these devices.
Continue Reading NIST Releases Cybersecurity Guidance for Manufacturers of IoT Devices

“Internet of Things” devices are listening.  And now the federal government is taking notice. As we reported in our Government Contracts and Investigations blog, to date, federal cybersecurity regulations for government contractors focus on implementing safeguards to protect sensitive government data. A gap has emerged where the federal government purchases IoT devices. Those devices collect and send data online, and are thus are susceptible to hacking and listening in. Proposed legislation recently introduced in both the Senate (S.734) and the House (H.R. 1668) calls for new information security standards to manage these cybersecurity risks. This legislation would affect a wide range of IoT devices. I.e., a device connect to the internet that is not a “general purpose computing device.”
Continue Reading Feds Want New IoT Guidance to Address Security Vulnerabilities

Citing cybersecurity concerns with a children’s smartwatch, the European Commission recently issued a recall of the device. The Safe-KID-One is a smartwatch that gives parents the ability to track and communicate with their children. According to the European Commission, security issues with the device could allow a hacker to access a user’s data, including location history, phone numbers and serial number. Additionally, the hacker could use the watch to “call another number of his choosing, can communicate with the child wearing the device or locate the child through GPS.” This is one of the first recalls of an internet of things device by the European Commission and puts device makers on notice that they should take cybersecurity seriously when designing new devices.
Continue Reading Cyber Concerns Lead to EU Recall of a Connected Kids Devices

The settlement between VTech Electronics Ltd. and the FTC in the first Internet-connected toys COPPA case is a reminder for companies looking to enter the connected toys space not to forget this child-focused law.

The FTC complaint alleged that VTech violated the Children’s Online Privacy Protection Act and the FTC’s COPPA Rule because it collected personal information from children without parental consent. According to the FTC, VTech markets and sells various “electronic learning products,” which it targets to 3- to 9-year-olds. Those products have an area similar to an app store, and one of the apps available is called Kid Connect. Kid Connect, the FTC explained, lets children communicate with other users. Although parents did have to sign children up for the interactive features of the VTech products, the FTC had concerns about the compliance of the consent process. Namely, that VTech did not have a way to verify that the person submitting consent was the parent, not the child him or herself. Also of concern for the FTC, and in violation it alleged of COPPA, was not having a link to the privacy policy in all areas of Kid Connect where personal information was collected. And in some instances, like the Kid Connect registration page, the privacy policy link was not sufficiently prominent. Additionally, some of the information required by COPPA to be included in a privacy policy was missing. This included VTech’s address and email address, a full description of what information was being collected from children, and the parent’s right to review/delete children’s personal information.
Continue Reading Connected Toys, COPPA, and What’s Next

Following up on our prior posts, we now turn to the future of cybersecurity. In so doing, we are reminded that, just as technology and the Internet are rapidly changing, so is the need for defenses against cyber attacks. Today’s cutting edge includes smart cities, connected devices, digitized records and smart cars. They bring with them increasing threats of attacks using the Internet of Things (IoT), and illegal access to private data. At a recent panel discussion hosted by Sheppard Mullin, experts focused on both the near future – the threat of a new bot army possibly set to launch attacks within weeks – and the more distant future – the coming advent of quantum computing and what it will mean for cybersecurity. We must prepare for tomorrow’s threats by doing our best to anticipate them today.
Continue Reading Lessons Learned from Cyber Awareness Month – Part Three

On April 6, 2016, National Telecommunications and Information Administration (NTIA) issued a federal notice to request public comment on the benefits, challenges, and potential roles for the government in fostering the advancement of the Internet of Things (IoT).  (RFC at http://www.ntia.doc.gov/files/ntia/publications/fr_rfc_iot_04062016.pdf).

Comments are due on May 23, 2016.Continue Reading NTIA Issues Request for Comments on Policies Related to Cyber Threats Surrounding Internet of Things