Greg Guice Comments on Bipartisan Internet of Things Bill for Law360

March 20, 2019

Pardon Our Dust

We recently launched this new site and are still in the process of updating some of our archived content. Some details of this article may be incomplete, links may be broken, and other elements may not display properly yet. We appreciate your patience and understanding.

Last week, House and Senate lawmakers introduced the Internet of Things (IoT) Cybersecurity Improvement Act. The bill asks the Commerce Department’s National Institute of Standards and Technology (NIST) to create security standards for IoT devices bought by the federal government, in order to make them less vulnerable to hackers.

A March 19 article from Law360 explores the potential impact of the legislation, with comments from McGuireWoods Consulting senior vice president, Greg Guice.

This new legislation is revised from a previous version of the bill introduced in the Senate in 2017, which excluded several categories of devices from being considered IoT products, including personal computers. In addition to including these categories, the new bill creates a process for companies to challenge whether their devices are covered, giving businesses clarity about which devices fall under the law.

The IoT Cybersecurity Improvement Act would provide the first federal standards for IoT devices, and could induce change in how devices are made for the general public.

“This could have a powerful effect on what is available to commercial consumers,” said Guice. “I think the spillover effect is likely to be very high because if there is a standard developed by NIST, industry participants will want to pay attention to it at a minimum.”

The bill tasks NIST with creating standards, with a review of the policy occurring every five years. If IoT vendors want to sell to federal agencies, they will need to create vulnerability disclosure policies, in addition to following the standards.

“Companies won’t want to build devices using two different sets of standards,” Guice added. “They’ll say, ‘If we are going through the process of developing NIST-compliant devices for the federal government, we might as well offer these same devices in whatever other market we are developing in.’”

Tech industry heavyweights have stated their support for the bill, including the trade group BSA: The Software Alliance, which represents Apple, IBM, Microsoft and others. At this time, it is unclear what chance the bill has in Congress.

“The fact that the new bill is bipartisan and has tech industry support gives it a fighting chance,” Guice said. “Maybe in a year like this one, where there is a lot of interest in tech issues, there may be an opportunity like this where they are trying to find a middle ground to improve devices for all users.”