Reasonable Security: A Review of US Law Affecting IoT
8 hours 10 minutes
Hi, I'm Matthew Clark. This is Lesson 7.3. Reasonable security.
In this lesson, we'll discuss the legal landscape of privacy and I o t law us. We'll talk about the California I O T law as well as the organ. I o t law N C C P A. So let's get started. So let's take a look at the legal landscape of privacy laws.
We start with GDP Arts from the European Union, and we'll cover this morning our next lesson.
Um, but it was kind of the very first one that came out that was very specifically focused on privacy at a really high level and also gave in numerator did specific rights to citizens.
We then have us laws, and this is really a patchwork of federal and state laws. So it's just kind of walk through some of these higher level ones so we can understand how they apply.
So let's start with the U. S. Laws. On the federal side, there is no overarching federal privacy law that kind of dictates the way privacy should work. Instead, there's a large patchwork of laws, So let's review those
starting with the FTC A. The Federal Trade Commission Act of 1914, which was years before the Internet. It created the FTC, which attempts to police the Internet. Among other things, Uh, landmark case was the FTC versus Facebook back in 2012,
where eight count complaint was brought about the way Facebook handled private information and Facebook settled for $5 billion. It was absolutely huge
back then. We also have the US Privacy Act of 1974. Again, these states air long before the Internet.
This effects data held by U. S. Government, government agencies and kind of dictates the way the U. S. Government should handle private data.
We have the Cable Communications Act of 1984. It protects subscriber privacy. We have something called the Video Privacy Protection eight Act of 1988 Back way back Women. We used to rent video from video stores like Blockbuster. It prohibited the disclosure of rental sales.
Um, we have the Drivers Protection Privacy Protection Act 1994 that governs public disclosure of personal information gathered by state D. M. V. S.
We have HIPPA mishandles personal health information, and Copa, which is the Children's Online Privacy Act of 1998. It attempts Thio protect against the collection of personal information for Children under the age of 13 and requires parent parental consent.
On the state side, we have, AH, patchwork of laws 12 CCP, a California Consumer privacy act. That's one that's got a lot of attention.
Maine has an act out there to protect the privacy of online consumer information, which prohibits the sale of I S P data.
Nevada has a state bill to 20 which prohibits the website operators or anyone who runs an online service from selling certain information. And many other states have lots of different privacy laws or in committee
breach laws. I think every state has adopted a breach loss, um sort, which dictates when and under what circumstances organizations have to disclose. They've had a breach. Lots of other countries have got different things. 12. Besides us like the, um, India has got the personal data protection bill.
Um, there is the U. U S privacy shield, which was recently shut.
Then it struck down by a court, which they'll find another way to do things.
Um, but privacy not just in the United it is fragment in the United States. But it's also fragmented around the world as well. And if you're an organization is working and has a global presence, you have to know all these different patchworks of laws. Um, in order to be able to make sure that you're handling private information correctly.
So I promise it won't be a discussion of politics or the appropriateness of this policy of that one. I'll just simply state them.
One of the inherent risk of trying to use the legal system to enforce technology standards is that the legal system tends to run really slow and codifying technical standards. Um may create a situation in which those standards become obsolete.
Um, and those types of laws really have a second or third order effect. That's really not apparent to politicians all the time. Heck, most of us technology is really understand the complete picture, either. So,
but let's walk through some issues of the day because I'll kind of help us understand what we're dealing with.
The long and short of the California and Oregon I O T bills are that it's a start in the right direction, since the market is failing to self regulate. But both um, kind of fall helplessly short of really driving meaningful change, but they're pretty good to start with.
The problem is that both laws use this concept called reasonable security, and reasonable security may not be an easy standard for engineers to implement. I mean, what does that mean, really?
The California law is not limited to consumer devices. The definition of a connected device appears to be broad enough to cover even devices intended for industrial or other B two B purposes.
And it's defined as any device or other physical object that is capable of connecting to the Internet directly or indirectly and is assigned an Internet protocol address or Bluetooth address. That's a broad definition. It really could cover anything from a computer to smart light bulb to a printer to smart TV.
As I pointed out earlier, their 2nd and 3rd order effects
that as I o. T. Grows this will evolved include many of things that were just simply not considering today,
and this is not meant as a criticism. It's meant as something to think about,
you know, as an industry we really haven't made a lot of leaps and bounds and securing the privacy and security of bio teacher devices, and so privacy laws and these regulations, or certainly a good step to help the industry to be able to move towards, ah, more secure environment.
So the California I. O T. Law defines reasonable security is three things. Um, one. It must be appropriate to the nature and function of the device to appropriate to the information they collect, contain or transmit, and three designed to protect the device and any information contained there and
from unauthorized access destruction Use
modification disclosure as specified.
The California I. O T. Law prioritizes authentication over other security concerns.
It states the following requirements for reasonable security. The pre programmed password is unique to each device manufactured, and
the device contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time.
Focusing on authentication and password features is noble but wholly insufficient toe impact security. It doesn't take into account the whole host of other security controls that we've talked about in this course.
The Oregon Coyote Law is very similar to the California I O T law, but there are some differences. First, the similarities. Both rely on a concept of reasonable security, and both laws air not limited to devices that collect our process personal information
but include any such device that connects to the Internet, regardless of what kinds of key information that they may possess.
The differences are that the Oregon I O T. Law has a broader definition of a cover device. It includes a connected devices, any device that has an Internet protocol or another address
leaving the definition open toe, other types of connectivity.
And so they focuses on this use case specifically for personal, family or household purposes. And actually, this narrows that definition from the California more broader approach.
Let's talk a little bit about C c p A.
Who does it apply? Thio. We'll see. C. P. A. Applies to any company that operates in California and is either makes at least $25 million in annual revenue, gathers data on more than 50,000 users or makes more than half of its money off of user data.
But CCP A exempts businesses if they're covered under a federal act like healthcare providers, insurers that may be covered under HIPPA our credit reporting agencies like Equifax, that are covered under the Federal Fair Credit Reporting Act.
So C. C P. A. Provides rights that are very similar to some of the same ones found in G d. P. R. Right of access data, deletion dropped in or out, and non discrimination.
So why does all this matter? Well, privacy and I O T law is really in its infancy
in the US All the laws air pretty well decentralized, meaning the states are creating and enforcing a patchwork of laws
in the European Union laws or more centralized, the member nations can enforce stricter local rules, though
andan across all the other countries in the world. It's really just a patchwork of privacy and technology law laws. And these were just growing and complexity.
Well, that's it for this lesson. So what do we learn? Well, we continued our discussion of privacy, and we make sense of my OT law for some additional flavoring.
We looked at California and organs i ot laws. We reviewed the concepts of reasonable security and authentication,
and we investigated the CCP A I'll see you next time