Mitigating the Risky Business of IoT

Q&A with Donna McPartland & Shamim Mohandessi of Han Santos, PLLC, with Larry O’Connell, of Sequitur Labs, Inc.

Introduction

Regulation of the Internet of Things (IoT) is growing at the federal and state level and pushing organizations to include robust security features in their devices.

The U.S. Internet of Things Cybersecurity Improvement Act of 2020 (the "Act") was enacted in December 2020 by Congress, and although it applies only to federal agencies, it is expected to have a significant impact on the development and manufacturing of IoT devices. This Act requires that federal agencies only procure IoT devices that comply with the National Institute of Standards and Technology's (NIST) guidelines for IoT device security.

Currently, NIST has published a draft publication 800-213, titled "IoT Device Cybersecurity Guidance for the Federal Government" that is expected to be finalized this year. This draft guidance recommends that federal agencies have "minimal securability" for IoT devices prior to purchase. NIST defines "minimally securable IoT device" as a device that has "the device cybersecurity capabilities customers may need to mitigate some common cybersecurity risks..."

Given the significant buying power of the federal government, private companies are likely to follow the NIST guidance when it is finalized. Additionally, some states regulate the use and deployment of IoT, including California and Oregon. Laws in both states require manufacturers of IoT devices to equip devices with "reasonable security features." However, each state fails to define "reasonable security features." Instead, the NIST guidance, when finalized, is expected to provide such clarity, at least within the US, through a standard definition. We also expect continued enforcement from the U.S. Federal Trade Commission through litigation and other enforcement activities as they relate to IoT device security.

To learn more about the regulation of IoT and to help answer questions about related trends, we interviewed Donna McPartland and Shamim Mohandessi from Han Santos, PLLC, and Larry O'Connell from Sequitur Labs, Inc.

What are the legal risks IoT organizations are facing in terms of their data security?

Shamim Mohandessi (HS): A data breach, while not always fatal, can create significant costs both in remediation and in brand injury. Especially for small and mid-size companies, lax data security (and the ensuing data breach) can make a company a high-risk partner in both commercial and corporate transactions.

Larry O'Connell (SL): IoT is exploding - more than 75 billion devices are expected to be online within 5 years. Most of these devices are being deployed without acceptable levels of security - about half of device vendors experienced a data breach at least once.

What are the costs associated with a data breach?

Larry O'Connell (SL): Data breaches are expensive. According to the Ponemon Institute, the average cost of a data breach is about $4M and has been rising (10%) over the last five years.

At an individual level, a data breach can exceed 10% of a product's revenue. This does not include other long-term impacts to business, including harm to its brand, loss of customer trust, and theft of your intellectual property.

What unique pressure does this add to the job of the in-house legal team(s)?

Donna McPartland (HS): In-house counsel and legal teams working within IoT companies need to understand the legal and regulatory environment and industry best practices related to IoT device security. This is one of those instances where in-house counsel is not protecting against obscure legal risks, but rather providing first-line protection against material business risk.

Larry O'Connell (SL): In addition, edge device security is now a critical concern and can no longer be considered optional. It should be a high priority in any vendor's risk management process.

How are these problems growing/evolving?

Larry O'Connell (SL): The problem becomes more urgent with the acceleration of the deployment of Artificial Intelligence (AI) at the edge. Historically, artificial intelligence models were housed in a highly secure central (cloud) area, accessed by devices at the network edge.

Edge devices are now performing these tasks locally, which is an exciting development for applications like robotics, intelligent video analytics, and autonomous machines.

About 75% of all data is expected to be generated at the network edge. This development does, however, increase the urgency to protect AI models – which represent critical intellectual property – on edge devices.

How is the market changing in terms of end-user expectations?

Larry O'Connell (SL): In recent years, cybersecurity for edge devices has become a top-of-mind issue. Recent developments include high-profile supply chain attacks (e.g., Solar Winds), the IoT Cybersecurity Improvement Act, and a recent Presidential Executive Order for improving the nation's cybersecurity. As a result, end-users have increased levels of concern for device security, and device vendor CSO's must prove that their products are secure.

What are some useful resources in terms of staying vigilant and educated towards creating a Data Security Savvy Team?

Donna McPartland (HS): Today's in-house counsel should be intimately aware of these issues, but it goes without saying, that we can only juggle so many items at once.

At Han Santos, our experienced attorneys can assist and augment in-house counsel with assessing a given company's data security program. From there, a work plan can be generated to guide any proactive work that needs to be done internally or externally.

It’s also important to note that legal can’t solve all these problems on their own. A certain degree of technical capability is required. We partner with specialty technology firms to help drive proactive enhancements to nascent data security programs.

Larry O’Connell (SL): In-house counsel should recognize that cybersecurity may never be a vendor’s core competency and that finding a strong partner in the space may be the right strategy.

How do organizations stay on top of the ever-growing laws and regulations of IoT?

Donna McPartland (HS): In-house counsel should track federal and state laws in this area as well as the finalized guidance from NIST (mentioned above). As a practice, Han Santos continuously monitors and updates clients on the ever-evolving data privacy and cybersecurity landscape. You can find those updates on our website or by subscribing to our Data Privacy and Cybersecurity Team’s updates and blogs.

What are some of the technology security challenges IoT companies want to consider?

Larry O’Connell (SL): Cybersecurity at the network edge is difficult. Here are a few challenges:

Companies must understand a complex set of features and functions needed to secure a device, and how to extract those features and functions from the silicon (microprocessor) selected for the product.

Threats are evolving and technology (for example, encryption methods) is evolving as well.
Companies are still under pressure to release products on time and keep up with the competition – without sacrificing security.

As a result – companies look for partners who are experts in the space to help them deliver a robust security solution.

Where do you start when evaluating what is needed for better data security?

Donna McPartland (HS): Assessing the risks considering applicable laws, regulations, and industry best practices is a good place to start to understand the risks to your company. Our Privacy Team regularly aids clients with these activities.

Larry O’Connell (SL): For the IT and Information Security side of the company, it starts with:

Recognizing the resources required to create true cybersecurity expertise
Assessing the time required to implement best practices in silicon
Reviewing the cost of creating and maintaining the right processes to implement security throughout the supply chain and product’s lifecycle

This investment should be weighed against a strong partnership with a specialized cybersecurity software vendor.

Vendors, like Sequitur Labs, deliver a complete solution for cybersecurity at the edge. Their software provides a complete set of features and functions required to secure a device and easily integrate those functions with device applications.

Their cloud services automate the processes required to keep a device safe, for example, firmware updates and threat detection.

About Sequitur Labs, Inc.

Sequitur Labs delivers software, integration tools, and cloud services to bring trusted, resilient products to market. With over 20 billion embedded systems connected to the Internet today, securing these devices is now the prime imperative of most organizations. However, doing so is a difficult and expensive road to navigate. Sequitur's mission is to help companies do this efficiently and within budget.

About Han Santos, PLLC

Donna McPartland is Of Counsel at Han Santos PLLC with over 20 years of experience in technology, privacy, and security. Donna is a Fellow of Information Privacy (FIP), a Certified Information Privacy Manager (CIPM), and a Certified Information Privacy Professional (CIPP/US). Donna regularly advises global companies on data privacy and cybersecurity matters.

Shamim Mohandessi leads the Han Santos Corporate and Securities Practice Group. His work focuses on emerging growth and lower middle-market companies in technology, media, and telecommunications. His clients are typically enterprise-oriented, recurring revenue businesses heavily invested in intellectual property.

Han Santos is a full-service, minority-owned, technology business law firm. Its core counseling team of legal experts includes highly skilled professionals who are passionate about offering innovative solutions to clients to protect their proprietary assets and drive winning deals.

Cookie	Duration	Description
__cfruid	session	Set by Cloudflare. Cookie associated with sites using CloudFlare, used to identify trusted web traffic. Learn more about Cloudflare cookies.
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
cf_clearance	session	Set by Cloudflare. Used to verify user is not a bot. Learn more about Cloudflare cookies.
hubspotutk	1 year	Set by HubSpot. This cookie keeps track of a visitor’s identity. It is passed to HubSpot on form submission and used when deduplicating contacts.

Cookie	Duration	Description
__hssc	30 minutes	Set by HubSpot. This cookie keeps track of sessions. This is used to determine if HubSpot should increment the session number and timestamps in the __hstc cookie. It contains the domain, viewCount (increments each pageView in a session), and session start timestamp.
__hssrc	session	Set by HubSpot. Whenever HubSpot changes the session cookie, this cookie is also set to determine if the visitor has restarted their browser. If this cookie does not exist when HubSpot manages cookies, it is considered a new session.
__hstc	13 months	Set by HubSpot. The main cookie for tracking visitors. It contains the domain, utk, initial timestamp (first visit), last timestamp (last visit), current timestamp (this visit), and session number (increments for each subsequent session).

Cookie	Duration	Description
_ga	2 years	Set by Google. Used to distinguish users on the Google Analytics platform. Google’s policies can be viewed here.
_ga_RJQRHRDJNC	2 years	Set by Google. Used to persist session state. Google’s policies can be viewed here.
_gat_gtag	1 minute	Set by Google. Used to analyze visitor browsing habits, flow, source and other information. Google’s policies can be viewed here.
_gid	24 hours	Set by Google. Used to distinguish users on the Google Analytics platform. Google’s policies can be viewed here.