Last month, CTIA, the wireless industry association, launched an initiative through which wireless-connected Internet of Things (“IoT”) devices can be certified for cybersecurity readiness.  According to the CTIA announcement, the CTIA Cybersecurity Certification Program (the “Program”) is intended to protect both consumers and wireless infrastructure by creating a more secure foundation for IoT applications that support “smart” cities, connected cars, mobile health apps, home appliances, and other IoT-enabled environments.

The Program was developed in collaboration with the nationwide wireless carriers, along with technology companies, security experts and test laboratories, and builds upon IoT security recommendations from the National Telecommunications and Information Administration (NTIA) and the National Institute of Standards and Technology (NIST).  According to the Program Test Plan, devices eligible for certification include those that contain an IoT application layer that provides identity and authentication functionality and at least one communications module supporting either LTE or Wi-Fi networks.

A device submitted for certification will undergo a series of tests at a CTIA-authorized lab.  The testing will assess the device for one of three certification levels or “categories.” To obtain a Category 1 certification, the device will be reviewed for the presence of “core” IoT device security elements, including a Terms of Service and a customer-facing privacy policy, along with technical elements including password management, authentication and access controls.  A Category 2 certification includes the Category 1 elements, in addition to enhanced security features, such as an audit log, multi-factor authentication, remote deactivation, and threat monitoring. A Category 3 certification features the most comprehensive level of cybersecurity threat testing, and covers elements such as encryption of data at rest, digital signature validation, and tamper reporting, in addition to the elements under Categories 1 and 2.

The Program comes at a time of rapid growth for IoT devices.  According to the latest Ericsson Mobility Report, the global IoT market will expand to 3.5 billion cellular-connected devices in the next five years.  Much of this growth is expected to be driven by the anticipated deployment of 5G technology and enhanced mobile broadband.

The Program will begin accepting devices for certification testing beginning in October 2018.  Details on how to participate in the Program are available on the CTIA website.

Connected devices have existed in the marketplace in one form or another for decades (think vending machines or weather sensors). Yet, a confluence of forces in recent years has helped spur a mass proliferation of technology in the “Internet of Things,” and with it, the collection and analytics of big data. Demand is high to connect nearly everything to the Internet — from smart home platforms and connected cars, to wearable devices and even smart yoga mats. Analysts predict that the number of IoT devices will reach between 25 and 200 billion devices by 2020.

For such an ubiquitous topic, the IoT can be surprisingly difficult to describe. At a basic level, the IoT is an ecosystem of physical objects connected to the Internet generally featuring small, embedded sensors relying on wired and wireless technologies that collect and transmit data either passively or actively. The Federal Trade Commission, the nation’s top consumer protection cop, defines the IoT as “the ability of everyday objects to connect to the Internet and to send and receive data,” that includes both consumer- and nonconsumer-facing devices.[1] As the IoT has continued to grow into new and emerging areas, so too has FTC scrutiny.

In the Law360 article, ‘Smart’ Ways To Avoid FTC Internet Of Things Scrutiny’, partner Alysa Hutnik and associate Crystal Skelton, address recent enforcement matters and lessons learned from the FTC’s report, “Internet of Things: Privacy and Security in a Connected World.” They also provide a list of several key issues to consider when developing and marketing a connected or “smart” device.

To read the full article, please click here. Access may require a subscription.


BaconAt last week’s Strata + Hadoop Worldwide Big Data Conference those “in the know” about all things Silicon Valley prophesized that “data is the new bacon.”  Witty comparisons aside, there is no question that big data has matured.  Companies across all industry types are clamoring to leverage every possible gigabyte of available consumer data.  As the industry has grown up, the list of FTC settlements involving privacy and data security has grown along with it – totaling more than 100 cases presently.

As Kelley Drye Partner, Alysa Hutnik, and Special Counsel, Kristi Wolff, explained in their conference panel (It’s a brave new world: Avoiding legal privacy and security snafus with big data and the IoT), the FTC has made it clear that it is not just interested in mature companies when it comes to privacy and data security issues.  The agency is closely monitoring practices by both startups and “grown up” companies.

So what is the FTC interested in presently?  Last week, the FTC announced that it will host a fall seminar series to examine three emerging consumer technology issues that, according to the FTC, are raising critical consumer protection issues.  These workshops will address ransomware and related data security issues, privacy and other considerations associated with the use of drones, and tracking consumer habits through their Smart TVs.  This week, the FTC also announced that it will hold its second PrivacyCon event, seeking to explore new and evolving technologies, such as targeted advertising, cross-device tracking, smart homes, health and fitness wearables, voice-controlled technologies, connected cars, and commercial drones.  And, as those of you who follow this area know, the most common pattern is workshops, followed by guidance, followed by enforcement.  Smart companies of all ages should pay close attention.