Federal Law and Proposed Legislation Congress has considered data privacy and security legislation that would have significant implications for U.S. businesses, their online and internet-connected products and services, and relations with the federal government. IoT Device Security The Internet of Things (IoT) Cybersecurity Improvement Act of 2020 was passed and signed into law on December 4, 2020. The Act requires the National Institute of Standards and Technology (NIST) to develop and publish (1) minimum security standards and guidelines on the use and management of IoT devices owned or controlled by a federal government agency, including requirements for managing cybersecurity risks; and (2) guidelines for disclosing security vulnerabilities of information systems, including IoT devices, by contractors (and subcontractors) who provide the technology to the agency. Agency heads cannot procure, obtain, or use an IoT device that fails to meet the standards and guidelines, unless a waiver is determined to apply. The IOT Act is a complement to California’s IoT device security law (Cal. Civ. Code §§ 1798.91.04–1798.91.06) that went into effect on January 1, 2020. The California law, which among other things requires a manufacturer of IoT devices that are sold or offered for sale in California to equip the devices with a reasonable security feature or features that satisfy certain criteria, explicitly excludes from its scope any IoT device that is subject to security requirements under federal law, regulations, or regulatory agency guidance.
59
Made with FlippingBook - Online Brochure Maker