Global IoT Laws: A Review of International Law Affecting IoT
8 hours 10 minutes
Hi, I'm Matthew Clark, and this is less than 7.4 global coyote laws.
Congratulations. This is the final lesson of this course.
In this lesson, we'll talk about the legal landscape and privacy and I o T law in Europe,
the United Kingdom and various other security and privacy laws. So let's get started.
Let's start with the UK
UK is not yet passed on i o t specific security law, but they have established a national Center of Excellence for I O T systems and cybersecurity,
and they created the 2018 code of practice for Consumer I O T.
Which serves as a guideline for how to achieve a secure by design approach for developing, manufacturing and selling consumer i ot products.
This highlights three quick winds, which includes having unique passwords, making sure that the company has a vulnerability disclosure program and they have a way to keep their i o. T devices up to date through patching and so forth.
In January of 2020 they drafted a new law that was based on this code of practice, and that new law states that device passwords must be unique, that manufacturers must provide a public point of contact for people needing to report a vulnerability, and the company must provide information stating
the minimum length of time that the device will receive security updates.
They also proposed enforcement measures, including a temporary ban on the supply yourself of the product while tests are undertaken.
A permanent ban of insecure products of a breach of the regulations was identified, UH to serve, recall notice, compelling manufacturers and retailers to take steps to organize the return of insecure products
applying to the court for an order to confiscate or destroy a dangerous product. A zwelling issuing penalty notices imposing fines directly on the business.
The N I s directive is the first piece of you wide legislation on cybersecurity.
It was adopted by the European Parliament on July 6 of 2016 and entered into force in August of 2016.
This directive created the foundation for notification and security requirements for operators of essential services and digital service providers, including cloud providers,
and they defined essential services as including digital infrastructure, energy transport, baking financial markets, healthcare, drinking water
and the digital service providers included online marketplaces on like search engines and cloud computing services
next. Let's turn to G d P R G D. P R. Was adopted on April 14th of 2016 and became enforceable on May 20. 5th of 2018
as G. D. P. R. Is a regulation on a directive is directly binding and applicable, but does provide some flexibility for certain aspects of the regulation to be adjusted by individual member states.
GDP are applies to all companies worldwide who work with the personal data of EU citizens
and so GDP are affect you. If you have a business established in the U, offer goods or services to anyone in the U or collect, store or transfer or use personal information about European citizens
and it provides consumers, um and citizens of the EU, with certain rights there, granted eight fundamental rights and we'll go over those in a second.
He also provide for breach notification,
Um, and for penalties, the fines could be pretty steep upto €20 million or 4% of the businesses. Global turnover, whichever is higher.
So let's take a look at these rights. These air should be pretty familiar. The right to access the rightto be for gotten right to restrict processing um, the right to be informed data portability, the right to object. And, of course, the right toe not have automated processing decisions made
next is etc.
Um, this is the European Telecommunications Standards Institute. It's an independent, not for profit standardization organization in the telecommunications industry.
And they released the cybersecurity standard for consumer Internet of Things devices in February of 2019.
The standards not mandatory and has remained a good practice document. It's deals with consumer connected devices and describes 13 recommendations, which include a I OT devices shouldn't have default passwords. The software should be updated. UH, company should manage vulnerability reports.
It talks about securely storing security sensitive data,
communicating securely, minimizing the attack surface of the device. Ensuring software integrity, protecting personal data, being resilient outages, making use of telemetry data allowing users to delete their personal data,
making installation and maintenance easy and validating user input.
The point of the standard was to move the cybersecurity burden away from consumers and ensure that security is built into the products by design
and June of 2020 the etc. Released a new standard.
The E N 3036 45 which was an update to their older standard.
Um, in the 13 recommendations were included in that, as well as five specific data protection provisions for consumer i o. T.
So this standard deals with all kinds of things, from smart cameras and televisions to baby monitors, health devices, connected home automation, um, and smoke detectors and lots of other things.
And there's no specific enforcement that's prescribed with this new standard. However, if your company is subject to a data breach by an i. O. T. Connected consumer device on the and you haven't certified that product against the standard, then the court case might not go so well.
Next up is Finland. They created an I. O T device label.
Um, this Twitter images, a quote from the chief research officer F Secure. But in November of 2019, the National Cybersecurity Center in Finland launched a cybersecurity labeling system based on the ts one of 36 45
by which basic information security features of bio T devices which are aimed at consumers are guaranteed.
The labeling system is based on the draft, etc. Standard Onda label, which is a stamp, is awarded to any Internet connected smart device that meets those required safety standards
and the EU Cyber Security Act is something to watch for The future was adopted in April 17th 2019 and became effective in July 27th of 2019
and with some provisions that we're gonna take effect on July 28th of 2021. But it really did two things that introduced for the first time an E U wide cybersecurity certification framework for I, C T products, services and processes
and I see T device stands for in information and communications technology. It's a broad term that covers all available communication gadgets from television, says cell phones of personal computers and more.
The act provides companies operating within the European Union the chance to certify their products and processes and service that they meet these you cybersecurity standards. It also changes the name of the European and Network and Information Systems Agency ANSA to EU agency for cybersecurity.
U. S companies may be surprised about how they act can impact them and hinder their ability to compete in the European Union market.
At this point, compliance with the cybersecurity certification schemes is completely voluntary unless specified by you or member state law. But that certification may eventually become mandatory
and the certification schemes were not available now. So it's something to watch him for in the future.
Well, that's it for our last lesson. So don't be sad. You've learned a lot in this lesson. We finished up our discussion of privacy. We took a look at the United Kingdom and the European Union, review different cyber security concepts. And finally we finished with EU Cyber Security Act.
Well, that's it. Look at that. We have finished all seven modules and you're ready for your certificate of completion.
I hope you've enjoyed taking this class as much as I have in developing it. I'm Matthew Clark, and I'll see you next time.