Can the Law Keep Up With the Internet of Things?
In 1999, renowned inventor and self-described futurist Ray Kurzweil—now director of engineering at Google—published "The Age of Spiritual Machines," in which he proposed a formula for calculating the rate of change in evolutionary systems.
November 02, 2018 at 12:58 PM
7 minute read
In 1999, renowned inventor and self-described futurist Ray Kurzweil—now director of engineering at Google—published “The Age of Spiritual Machines,” in which he proposed a formula for calculating the rate of change in evolutionary systems. Dubbed “The Law of Accelerating Returns,” Kurzweil's formula holds that technological progress will occur at an exponential rate. Viewed in relation to human history, this means in the 21st century “we won't experience 100 years of progress”; instead, the growth rate “will be more like 20,000 years of progress.”
Over the past two decades, Kurzweil's model of technological progress has been validated. Today, the world is home to more internet-connected devices (10 billion) than people. Dubbed the “Internet of Things” (IoT), this interconnected network of digital devices has revolutionized how we interact with the world around us. From driverless cars, to personal drones, to smart homes, the degree to which the IoT has affected contemporary society is nothing short of profound.
Only recently, however, have states started to grapple with the myriad security and privacy concerns implicated by the IoT. In September, California became the first state to pass legislation designed to protect the privacy and security of IoT users from the ever-increasing threat of hacking. But the impact (and adequacy) of this legislation, as well as the future of IoT legislation across the country, remains unknown.
|Hack the Planet
As defined by the Federal Trade Commission (FTC), the IoT encompasses “devices or sensors—other than computers, smartphones or tablets—that connect, communicate or transmit information with or between each other through the Internet.” Common examples include wearable devices (like Fitbit and the Apple Watch); smart-home devices (like Google's Nest Thermostat and the Kohler Verdera Smart Mirror); and vehicle enhancements (like AT&T's Connected Car).
Like personal computers (PCs) and smartphones, IoT devices collect, store and transmit users' personal data. But unlike a PC or smartphone, IoT products tend to be sold without antivirus software, and do not require users to update their login and password information. As a result, the IoT landscape is considered a goldmine for cybercriminals and hackers.
Take, for example, a baby monitor. Today, many parents monitor their children by placing Wi-Fi video monitors in their bedrooms. But as NPR reported earlier this year, these baby monitors often contain several “easy-to-exploit vulnerabilities” that not only allow hackers to peer inside young children's bedrooms, but also “gain access to a home's Wi-Fi network to get information off computers, possibly for financial gain.”
Other IoT-connected products are equally susceptible to hacking. Fiat Chrysler was forced to recall 1.4 million cars in 2015 after a team of cybersecurity researchers hacked a Jeep Cherokee's infotainment system, took control of the steering wheel, disabled the breaks and shut down the engine. The health care industry experienced a similar scare a year later, when the FDA confirmed St. Jude Medical was using implantable cardiac devices (e.g., pacemakers) that possessed “vulnerabilities that could allow a hacker to … deplete the battery or administer incorrect pacing or shocks.” And the St. Jude case was followed by the widely reported Mirai botnet attack in October 2016, when attackers hijacked IoT devices around the globe by exploiting a vulnerability in webcams and digital recorders, and then used those devices as a botnet to flood the networking company Dyn with malicious traffic. Because of this attack numerous popular websites—including Twitter, Netflix and Reddit—were forced to temporarily shut down.
|California Dreamin' [of Better Security]
To combat the ever-increasing threat of IoT hacking, California recently became the first state to mandate the implementation of security features for IoT devices. The law, which goes into effect in January 2020, covers all internet-connected devices made or sold in California. It specifically requires manufacturers to equip devices with “reasonable security” features designed to protect the device from “unauthorized access, destruction, use, modification or disclosure.” Compliance can be accomplished by preprogramming the device with a unique password or requiring users to generate a new password before accessing the device for the first time.
The bill has garnered approval from numerous privacy rights organizations and consumer groups, including the Electronic Frontier Foundation and Privacy Rights Clearinghouse. Experts have lauded the bill's user-specific password requirement as an important step in protecting users' privacy, as default passwords—e.g., “admin” or “1234”—are easily searchable on Google, and consumers often fail to change default passwords after buying an IoT device. By the same token, the law's use of the term “reasonable” offers an important degree of flexibility—allowing it to be broad enough to cover future technological advancements.
But the bill has received criticism as well. According to security researcher Robert Graham, one of the law's major shortcomings is its failure to protect IoT devices from potentially infecting each other. For example, Graham notes that the law could have offered more protection by requiring IoT devices to be sold in a default “isolation” mode, which “prevents infected laptops/desktops (which are much more under threat than IoT) from spreading to IoT.”
|Implications
Importantly, California's IoT law, which does not contain a private right of action, is enforceable only by California's attorney general or city attorney, a county counsel or a district attorney. Nevertheless, according to numerous commentators the plaintiffs bar is expected “to ramp up its activity in this space in the near future, to seize on the new security requirements if there's a breach or other major security incident that allegedly lacked proper password security.”
California's law may spur additional legislation as well. In June 2018, the U.S. House of Representatives' Committee on Energy and Commerce introduced a bill titled the State of Modern Application, Research, and Trends of IoT Act—otherwise known as the SMART IoT Act—that would empower the Secretary of Commerce to conduct a study of IoT devices, determine federal agency jurisdiction over such devices, provide regulations and resources, and report back to the House Committee within one year. This legislation came on the heels of the Internet of Things Cybersecurity Improvement Act, which was introduced in the Senate in August 2017. Although these bills have yet to be passed, California's initiative may spark a renewed interest in further regulating IoT devices on a national scale.
California's IoT law is sure to have a significant impact on the IoT landscape in the coming decade. As technology continues to progress, and as resultant security concerns emerge, California is posed to play a starring role in regulating the IoT industry. But whether this cast of characters will grow through additional state or federal legislation is unknown. Either way, the IoT show will go on.
Jeffrey N. Rosenthal is a partner in Blank Rome's Philadelphia office. He concentrates his complex corporate litigation practice on consumer and privacy class action defense, and regularly publishes and presents on class action trends, attorney ethics and social media law. Contact him at [email protected].
Thomas F. Brier, Jr. is an associate in the firm's Philadelphia office. He concentrates his litigation practice on a variety of criminal and civil litigation matters, and has written extensively on issues pertaining to data privacy and cybersecurity. Contact him at [email protected].
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllFederal Judge Allows Elderly Woman's Consumer Protection Suit to Proceed Against Citizens Bank
5 minute readJudge Leaves Statute of Limitations Question in Injury Crash Suit for a Jury
4 minute readSupreme Court's Ruling in 'Students for Fair Admissions' and Its Impact on DEI Initiatives in the Workplace
6 minute readMembership Has Its Privileges: Bankruptcy Court Examines LLC's Authority to File Bankruptcy
8 minute readTrending Stories
- 1Judge Grants Special Counsel's Motion, Dismisses Criminal Case Against Trump Without Prejudice
- 2GEICO, Travelers to Pay NY $11.3M for Cybersecurity Breaches
- 3'Professional Misconduct': Maryland Supreme Court Disbars 86-Year-Old Attorney
- 4Capital Markets Partners Expect IPO Resurgence During Trump Administration
- 5Chief Assistant District Attorney and Litigator Shortlisted for Paulding County Judgeship
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250