cybersecurity in the world of iot · iot is about making connections, and using those...
TRANSCRIPT
Cybersecurity in the World of IoT
Matthew Ahrens
Jill Bronfman
Viola Trebicka
Serge Jorgensen
Panelists
Matthew Ahrens Charles River Assoc.
Principal
Jill Bronfman Common Sense Media
Privacy Counsel
Serge Jorgensen Sylint Group
CTO
Viola Trebicka Quinn Emanuel
Partner
Protecting data in an Internet of Things environment
IoT is about making connections, and using those "connected" things to gather and send information
This creates opportunities for compromise, be it entry into IoT ecosystems, access to customer information, or launching malicious attacks.
This panel will discuss considerations for safely building IoT infrastructure to protect the IoT innovation and ecosystem integrity.
IoT Growth
• Anticipated growth (Gartner 2017)
– 30% year over year
– 6B devices in 2017
– 20B devices by 2020
• Security Today (January 2020)
– 31B devices in 2020
– 127 more devices per second
Use Cases or Scare Tactics?
• Your garage door opener
can deactivate your home
alarm
• Hackers can access your
pacemaker
Current Regulation of IoT
• Federal Trade Commission
• Consumer Product Safety Commission
• Food and Drug Administration
• State Laws
– Breach Notification
– Privacy (where enacted)
– Unfair and Deceptive Practices Statutes
• Other
The Future of IoT Regulation
• More states enacting privacy laws
• State IoT laws (e.g., California)
• Stricter regulations by federal agencies (e.g., CPST)
• Potential unification of federal regulations:
– Internet of Things Cybersecurity Improvement Act of 2019
– Federal privacy law
Privacy, Anyone?
Privacy risks associated with IoT
User notification & awareness challenges
https://privacy.commonsense.org/
Development & Education
Developer-Increased Privacy
User-Protected Privacy
https://privacy.commonsense.org/resource/2019-state-of-edtech-privacy-report
IoT Manufacturer Liability
TRADITIONAL PRODUCTS LIABILITY RULES
VS. IOT MANUFACTURERS LIABILITY
Liability of IoT Manufacturers: Case Study
• FTC v. BLU Products
– ADUPS Technology Co. provided security and operating
system updates to BLU’s mobile phones
– ADUPS collected personal information such as call logs, text
messages, and location information without consumers’
knowledge or consent
– FTC alleged that BLU failed to implement adequate security
practices of service providers such as ADUPS; BLU must
implement such measures as part of consent order