Sheila Millar Authors Law360 Article: "The Evolving Legal Landscape For Connected Products"

Date: Apr 13, 2017

Law360, New York (April 13, 2017, 10:53 AM EDT) —
The Internet of Things (IoT) has continued its rapid expansion into homes, cars, offices, hospitals, fitness devices and even children’s toys. The market for connected devices is predicted to explode, along with related markets for cloud services, software as services, analytics, and other services to support these products.

The rapid deployment of connected products promises to dramatically alter how we manage our homes, our health and our lives — and to upend the existing legal landscape. As consumers clamor for more efficient, more versatile connected products, and the IoT expands, smart technologies have come under increasing scrutiny by lawmakers and regulators.

Data privacy and security concerns have been at the top of the list, and are attracting increased attention. A major distributed denial of service attack last fall raised concerns about the possible lax security of connected products, and already California has introduced draft legislation to impose privacy and security obligations on connected products.[1]

Reports of potential security lapses allowing hackers to take over a car prompted congressional inquiries in 2015, and the Federal Trade Commission (FTC) plans a workshop on connected cars on June 28. Allegations of security issues with connected toys have also captured headlines.

In the meantime, the U.S. Consumer Product Safety Commission (CPSC) issued a staff report in January entitled Potential Hazards Associated with Emerging and Future Technologies. Areas identified for potential investigation include a variety of innovative technologies, such as 3D printing, nanotechnology, virtual and augmented reality and an array of connected products.[2]

As more connected devices enter the marketplace, these issues are the topic of discussion by regulators worldwide. Of course, the difference between a connected product and the software that powers it is the existence of a physical product that must be tested to meet specific regulations or standards, depending on the product.

This means that connected product manufacturers also need to pay attention to the rules, regulations, standards and requirements that affect the product itself, from physical safety and performance tests to limits on chemicals used to make them.

Thus, a critical difference between a product — even an extraordinarily complex one — and that same product which connects to the internet is the need to understand how physical safety, regulatory compliance, performance and customer satisfaction depend on the software, firmware and operating systems used to make the product “connect.”

Privacy and Security

Regardless of the type of connected product involved — from home hubs to wearables, appliances to toys — connected product manufacturers must consider and address potential privacy and security risks. However, they need to do that in the context of the development trajectory of the physical product.

Currently, several federal laws impose cybersecurity and privacy obligations, including the Health Information Portability and Accountability Act, the Gramm-Leach-Bliley Act and the Children's Online Privacy Protection Act (COPPA). These laws include both privacy and security obligations specific to the sectors or activities covered.

In addition, Section 5 of the FTC Act grants the commission broad powers to address unfair and deceptive business practices. The FTC has applied its Section 5 authority to address privacy and security practices by businesses in sectors not subject to sector-specific requirements in many enforcement cases.

However, the principles the commission has applied in these cases notably draw from security provisions in some of the sector-specific laws it enforces. Staff reports and business guidance, like the FTC’s Start With Security guide, provide recommended general guidelines on security practices for business.

The FTC has also referenced the National Institute of Standards and Technology (NIST) Cybersecurity Framework as an effective tool. The Framework focuses on using business drivers to guide cybersecurity activities and considering cybersecurity risks as part of an organization’s risk management processes.

Toys have come under special scrutiny, even though under COPPA the FTC has enforcement jurisdiction over both the privacy and security of information collected online from children. COPPA requires that companies post their privacy policies, notify parents of their information-collection practices and get verifiable parental consent, among other steps, before collecting personal data from children.

It also imposes due diligence and data security obligations. Moreover, the FTC has repeatedly confirmed that COPPA applies to any “online service” directed at children, which of course includes children’s products.

Yet legislators and advocacy groups in the U.S. and Europe continue to highlight connected children’s products. Late last year, for example, a consortium of children’s advocacy groups in Europe and the U.S. filed coordinated complaints with the FTC and its European counterpart concerning privacy and security related to the My Friend Cayla doll, which resulted in its ban in Germany and a petition to the FTC.

The recent furor over CloudPets, where a security vulnerability allegedly exposed customer emails, passwords and other information to hacking, is just the latest report to surface. Scrutiny of smart technology products is likely to increase in the foreseeable future, particularly if intended for use by children.

A bill was recently introduced in the California state senate that would expand privacy and security obligations on connected product manufacturers. Called the “Teddy Bear and Toaster Act,” S.B. 327, introduced on Feb. 13, 2017, would require manufacturers of connected products to implement security measures and provide specific notices to consumers about information collection practices, among other objectives.

The requirements could apply to any device capable of connecting to the internet or to another device, including computers, toys, appliances, cell phones and professional equipment. The implications of this law versus the scheme of federal sector-specific privacy and security laws, however, must be considered from a preemption standpoint. With regard to children’s products, for example, COPPA preempts inconsistent state law.

Product Safety, Environmental and Other Regulations

The CPSC imposes certification and other requirements on a variety of consumer products to ensure compliance with safety requirements under its jurisdiction. The CPSC is also responsible for enforcing certain chemical restrictions on children’s products, certification requirements, and labeling requirements, and it has the power to initiate recalls where any product poses a risk to the public.

While to date there have been very few recalls of “connected” devices, as the number of such products expand, this is likely to change. The evolving technological landscape and implications for safety are drawing attention from regulators.

The CSPC’s January 2017 staff report on emerging hazards focused on several recent technological and sociological trends, including the increased integration of smart technology and IoT into everyday products, and the use of big data by manufacturers and third parties (including data derived from social media).

Product safety regulators are interested in whether this type of information can be harnessed to unlock trends on possible defects or unsafe use patterns. The ability to identify product owners, on the other hand, can also offer opportunities to contact consumers directly to alert them about product safety issues or recalls.

The CPSC staff report identifies “softwarization” of products as a potential safety issue. The report suggests that hazards associated with software in products “could manifest in software that operates incorrectly (e.g., a bug creates an abnormal operating condition, malware changes the software function, an unforeseen input leads to an abnormal operating condition), or fails to operate when a response is required (e.g., a safety monitoring system does not respond when a hazardous condition is detected).”

The report acknowledges that CPSC does not have staff expertise to evaluate software as a component part in consumer products. It also identifies the absence of standards to evaluate or certify software in products. However, safety issues of the software that powers a specific connected product have to be considered in the context of the particular product involved.

The notion of some type of general “standard” for software used in products could result in a potential false sense of security while limiting innovation, and at least for now, seems unlikely to advance. Even so, similar discussions are occurring in other regions and countries.

Environmental considerations as well are an important component of the overall safety and compliance assessment for any physical product. In particular, the use of chemicals in products should be considered. Depending on the materials and components used to manufacture a connected device and /or its packaging, producers need to assess applicability of restrictions and taxes on ozone-depleting chemicals, as well as restrictions on specific uses for substitutes for these chemicals.

A manufacturer may be subject to requirements under the newly updated Frank R. Lautenberg Chemical Safety for the 21st Century Act, which modified the longstanding federal Toxic Substances Control Act to update the U.S. chemical control regime. The Environmental Protection Agency has authority to review, evaluate, test and regulate the use of chemicals.

In addition, an increasing number of states have adopted “green chemistry” regimes that require reporting on specific chemicals used in covered products. Some may require that producers conduct “alternatives assessments” or give the state the authority to limit or prohibit certain substances from consumer products.

While most of these laws apply only to children’s products, they are important to consider. And, of course, there is California’s famous Proposition 65, which imposes warning requirements on products that contain substances known to the state to cause cancer or reproductive toxicity. The landscape becomes even more complex where manufacturers seek to market products globally.

Energy efficiency requirements may also apply to certain connected products, such as appliances, or to other devices, such as external power supplies, that may be used more broadly in a variety of connected products. Although the current administration has proposed eliminating the popular and globally-recognized Energy Star program that is particularly important to appliance companies, energy efficiency requirements are spreading outside the U.S.

In addition, energy efficiency remains a core commitment for many appliance manufacturers and also for retailers through their own sustainability initiatives.

An Integrated Approach

This summary simply touches on some of the major challenges for connected product producers. Tackling the many facets of the legal, practical and performance requirements applicable to an IoT product requires an integrated approach, one suitable to assess the risks and benefits and applicable governing regulatory framework of the product itself.

This is not, unfortunately, a simple task, and does not easily lend itself to standardization. There are many tools available, however, to help companies develop compliance assessment frameworks.

One on the security side is the NIST Cybersecurity Framework, widely touted for its flexibility and process-oriented approach. In conducting compliance assessments, it is important to marry an understanding of the underlying privacy and security landscape with in-depth knowledge of the products themselves.

Both disciplines are necessary to develop a risk management framework designed to foster compliance with legal requirements applicable to the product, promote safe use of that product, and protect consumers. While specifics of legal requirements that apply to physical products will differ based on the products themselves, the common requirement for any connected product is an understanding of the data collected by or through the device.

Conducting a privacy and security impact assessment can provide critical information about the data necessary to offer the product and to make it connect. Such assessments should be integrated with other tools traditionally used to assess product safety considerations of physical products, like fault tree analyses and failure modes and effects analyses.

In short, there is no one size-fits-all approach for manufacturers of connected products that will cover a company’s legal obligations, protect its reputation, keep its products functional and provide a unique user experience.

Developing an individualized, integrated set of measures that comports with the product safety, environmental, privacy and security expectations of both regulators and consumers is crucial, and should inform the development of connected products from conception to marketing.

[1] S.B. 327, 2017-2018 Reg. Sess. (Feb. 13, 2017).

[2] CSPC Staff Report, “Potential Hazards Associated with Emerging and Future Technologies,” Jan. 18, 2017.