Last month, CTIA, the wireless industry association, launched an initiative through which wireless-connected Internet of Things (“IoT”) devices can be certified for cybersecurity readiness.  According to the CTIA announcement, the CTIA Cybersecurity Certification Program (the “Program”) is intended to protect both consumers and wireless infrastructure by creating a more secure foundation for IoT applications that support “smart” cities, connected cars, mobile health apps, home appliances, and other IoT-enabled environments.

The Program was developed in collaboration with the nationwide wireless carriers, along with technology companies, security experts and test laboratories, and builds upon IoT security recommendations from the National Telecommunications and Information Administration (NTIA) and the National Institute of Standards and Technology (NIST).  According to the Program Test Plan, devices eligible for certification include those that contain an IoT application layer that provides identity and authentication functionality and at least one communications module supporting either LTE or Wi-Fi networks.

A device submitted for certification will undergo a series of tests at a CTIA-authorized lab.  The testing will assess the device for one of three certification levels or “categories.” To obtain a Category 1 certification, the device will be reviewed for the presence of “core” IoT device security elements, including a Terms of Service and a customer-facing privacy policy, along with technical elements including password management, authentication and access controls.  A Category 2 certification includes the Category 1 elements, in addition to enhanced security features, such as an audit log, multi-factor authentication, remote deactivation, and threat monitoring. A Category 3 certification features the most comprehensive level of cybersecurity threat testing, and covers elements such as encryption of data at rest, digital signature validation, and tamper reporting, in addition to the elements under Categories 1 and 2.

The Program comes at a time of rapid growth for IoT devices.  According to the latest Ericsson Mobility Report, the global IoT market will expand to 3.5 billion cellular-connected devices in the next five years.  Much of this growth is expected to be driven by the anticipated deployment of 5G technology and enhanced mobile broadband.

The Program will begin accepting devices for certification testing beginning in October 2018.  Details on how to participate in the Program are available on the CTIA website.

BaconAt last week’s Strata + Hadoop Worldwide Big Data Conference those “in the know” about all things Silicon Valley prophesized that “data is the new bacon.”  Witty comparisons aside, there is no question that big data has matured.  Companies across all industry types are clamoring to leverage every possible gigabyte of available consumer data.  As the industry has grown up, the list of FTC settlements involving privacy and data security has grown along with it – totaling more than 100 cases presently.

As Kelley Drye Partner, Alysa Hutnik, and Special Counsel, Kristi Wolff, explained in their conference panel (It’s a brave new world: Avoiding legal privacy and security snafus with big data and the IoT), the FTC has made it clear that it is not just interested in mature companies when it comes to privacy and data security issues.  The agency is closely monitoring practices by both startups and “grown up” companies.

So what is the FTC interested in presently?  Last week, the FTC announced that it will host a fall seminar series to examine three emerging consumer technology issues that, according to the FTC, are raising critical consumer protection issues.  These workshops will address ransomware and related data security issues, privacy and other considerations associated with the use of drones, and tracking consumer habits through their Smart TVs.  This week, the FTC also announced that it will hold its second PrivacyCon event, seeking to explore new and evolving technologies, such as targeted advertising, cross-device tracking, smart homes, health and fitness wearables, voice-controlled technologies, connected cars, and commercial drones.  And, as those of you who follow this area know, the most common pattern is workshops, followed by guidance, followed by enforcement.  Smart companies of all ages should pay close attention.

Yesterday, the Federal Trade Commission (FTC) held an information gathering workshop entitled the “Internet of Things: Privacy & Security in a Connected World.”  The purpose of the workshop was to explore consumer privacy and security issues raised by the growing connectivity of devices, and to inform the Commission about the developments in this area. The workshop featured a series of panels with representatives from government, academia, consumer groups, privacy professionals, and the technology industry who discussed the risks and benefits, consumer awareness, and the future of connected devices.  Topics discussed included:

  • What is the “Internet of Things”?
  • The Smart Home
  • Connected Health and Fitness
  • Connected Cars
  • Privacy and Security in a Connected World

The FTC will be preparing a report that includes recommended best practices for “smart” devices.  Interested parties may submit public comments on such best practices (or any of the topics/issues raised at the workshop) to the FTC through January 10, 2014.

For more information, see the Kelley Drye client advisory.