The DHS and NIST Release Guidelines for the IoT

This week, both the Department of Homeland Security and the National Institute of Standards and Technology released a set of guidelines intended to secure the IoT. Both the DHS and NIST offered standards and other security principles that focused on redesigning the main infrastructure of the device and emphasized the need to incorporate security practices early on in the design of an IoT device.

On November 16th, a joint hearing of two House Energy and Commerce subcommittees was held to investigate ways to better secure internet-connected devices and to mitigate future attacks. Experts testified that internet-connected devices are compromised by a minimal interest in security by both the manufacturers and the consumers. The overall lack of incentive to implement security mechanisms on these goods can be rectified by an increased regulatory presence in this industry. Rep. Jan Schakowsky (D-Ill.), the ranking member of the Commerce, Manufacturing and Trade Subcommittee, suggested that the Federal Trade Commission needs to take on a larger role in this industry to protect the consumers. Rep. Michael C. Burgess (R-Texas) wanted to shy away from creating hard and fast rules and, instead, develop a set of best practices or industry standards for the IoT industry to follow. He believed regulations could be an “innovation killer.” Regardless of the approach adopted, the comments made at the hearing echoed the incentive behind DHS’s and NIST’s guidelines: cybersecurity must be part of the early design of an internet-connected device. The new guidelines and joint hearing on the IoT reflect a new focus on the security of IoT devices.

LinkedIn is Shown the Door in Russia

On November 10th, after determining that LinkedIn Corp. violated Russia’s data localization law, a Moscow court affirmed an August district court decision that blocked the company from providing online services within Russia. The law, which went into effect in September 2015, requires websites to store Russians’ personal information on servers located in Russia. This ruling was the first time a Russian court enforced the law. Even though LinkedIn does not have any offices or personnel located within Russia, the company still has to comply with the law simply because Russians can sign up to use its services. Consequently, if multinational companies want to engage with Russian users, they will likely need to build data centers in Russia or store their data with local storage centers. Adhering to this law will likely grant Russian officials a more direct and easier access to customer and corporate data. One week after the decision, Russia’s communications regulator ordered access to LinkedIn’s website to be blocked to users in Russia. As companies look to expand their businesses, data localization laws could prove to be an obstacle to expansion.

A Single Text Constitutes an Injury-in-Fact under the TCPA

On Nov. 15th, U.S. District Judge Leigh Martin May ruled that an alleged violation of the Telephone Consumer Protection Act (TCPA) is enough to file suit in federal court. Under the TCPA, a company cannot use automated telephone dialing systems to send unsolicited calls or text messages to a consumer without prior consent. The plaintiff claimed that Hooters knowingly violated the TCPA by sending a text message to diners who had opted out of receiving the messages. In applying the recent Supreme Court ruling in Spokeo, Inc. v. Robins, the judge concluded that a per se violation of the TCPA is suffice to establish standing. And, in fact, “sending a single text message in violation of the TCPA constitutes an injury-in-fact.” This ruling could be a significant business risk for many companies as it makes it easier for plaintiffs to satisfy the initial standing requirement

Long Distance Search Warrant Power

On December 1st, the revised Federal Rule of Criminal Procedure 41 will take effect, which allows federal judges, with authority in any district, to issue a warrant requesting remote access to search electronic devices. Rule 41 would apply in two circumstances: first, if a suspect uses technological means to hide the location of his or her computer and; second, if, in an investigation of a crime that involves criminals hacking computers, the computer is located in five or more judicial districts, Rule 41 would only require one judge to review an application for a search warrant rather than submitting separate applications in each district where a computer is affected. A judge can grant a warrant even if the owner is not aware of how the computer is being misused—for example, an infected personal laptop that has been used in a cyberattack. Companies will have to wait to see how prosecutors will utilize Rule 41 warrants. In the interim, Rule 41 could make it increasingly difficult for companies to protect users’ information.