Reed Smith LLP

A recent study conducted by researchers at the University of Piraeus, published in the Institute of Electrical and Electronics Engineers’ Access journal (29 January 2018), has indicated that many popular health apps have significant privacy and cybersecurity failings; many of them do not follow standard practices nor will they comply with the upcoming General Data...… Continue Reading

The Cyber Shield Act of 2017 is one of the more recent manifestations of the federal government’s increasingly urgent scrutiny over the security of Internet of Things (IoT) devices. This latest proposal, introduced in both houses of Congress on October 26–27, 2017, creates a voluntary compliance framework, whereby participating businesses can submit their devices to a standardized security review for scoring and labeling. The bill adopts a similar theory behind the LEED certification system for a building’s environmental performance. It aims to incentivize businesses to participate in the rating system as a means to market their devices’ security features. The thought is that consumers armed with this information will demonstrate a preference for higher-rated devices, which will incentivize other manufacturers to also secure a high score. Though not without critics, most notably for its voluntary nature, cybersecurity analysts are watching the bill’s progress closely to see what impact it will have on the larger landscape of IoT device regulation.

The Federal Trade Commission (FTC) released a report summarizing the results of its investigation into improving mobile device security, particularly in regard to releasing security updates (i.e., patches) for devices in active use. Based on its findings, the report presents recommendations for providing timely security updates consistent with consumers’ reasonable expectations, disclosing better information about security update practices and educating consumers to better understand their role in the security update process. These recommendations are aimed at mobile industry stakeholders, including device manufacturers and telecom carriers, and may be applied by the agency to any organization that develops, manufactures or otherwise provides Internet-connected devices. The guidance provides a framework of practices, and failure to adhere to these practices may put particular companies at greater risk of FTC enforcement or increased risk of consumer class actions because plaintiffs’ firms often look to agency guidance in bringing new types of claims.

On December 8, 2017 – nearly a year after President Obama signed into law the 21st Century Cures Act (“Cures Act”) – the Food and Drug Administration (“FDA”) released two new draft guidances that aim to implement section 3060 of the Cures Act, and provide clarity on the Agency’s regulatory approach to software as a medical device.