guidelines on the use and management of IoT devices owned or controlled by a federal government agency, including requirements for managing cybersecurity risks; and (2) guidelines for disclosing security vulnerabilities of information systems, including IoT devices, by contractors (and subcontractors) who provide the technology to the agency. Agency heads cannot procure, obtain, or use an IoT device that fails to meet the standards and guidelines, unless a waiver is determined to apply. The IOT Act is a complement to California’s IoT device security law (Cal. Civ. Code §§ 1798.91.04–1798.91.06) that went into effect on January 1, 2020. The California law, which among other things requires a manufacturer of IoT devices that are sold or offered for sale in California to equip the devices with a reasonable security feature or features that satisfy certain criteria, explicitly excludes from its scope any IoT device that is subject to security requirements under federal law, regulations, or regulatory agency guidance. Individual Data Privacy and Security An omnibus federal privacy bill known as the American Data Privacy and Protection Act [H.R 8152] has received bipartisan congressional support and represents a major step forward in its two-decade effort to enact a federal data privacy and security framework. One obstacle is the view of Congresswoman Nancy Pelosi that the proposed law may pre-empt California’s existing privacy laws. Another obstacle to passage is whether or not a private right of action is included. Data Breach Following the massive data breach at Target and media attention on data privacy, there was an initial increase in efforts to create a federal data breach notification law Senator Patrick Leahy (D-VT) first introduced a legislative proposal over a decade ago and has continued to reintroduce it but has yet to get it passed. 60
Made with FlippingBook - Online Brochure Maker