On December 4, 2020, the United States President signed into law H.R. 1668, the “Internet of Things Cybersecurity Improvement Act of 2020.” The Act establishes security standards for Internet of Things (IoT) devices that are owned or controlled by the Federal government and requires the National Institute of Standards and Technology (NIST) to create minimum cybersecurity standards for such devices. Under the Act, NIST has 90 days to develop these security standards and additional guidelines on federal agencies’ appropriate use and management of IoT devices. NIST must develop additional guidelines within 180 days to address requirements for reporting and publishing information on IoT device cybersecurity vulnerabilities. The Act also notes that in two years, federal agencies generally will be prohibited from using any IoT device that does not comply with any of the standards issued by NIST. NIST recently issued a press release describing how it was responding to the Act’s requirements.
As the federal government moves to strengthen IoT device security, it stands to reason that eventually more secure IoT devices will make it into the hands of consumers. Known as the “Internet of Things,” IoT devices are devices that you don’t normally think of as having an Internet connection. In addition to connected audio devices like Amazon Echo or Google Home, IoT devices include smart locks, light switches and plugs that can be controlled remotely, smart orthopedic braces, fitness trackers and smart watches. You can even buy connected teakettles and connected toys. For all of the novelty and convenience they may offer, IoT devices also introduce data privacy and security concerns. Like any computer system, these devices and services collect, store, and transmit personal data that is either sensitive or confidential on its own, or sensitive and confidential when combined. We have written previously about the consumer data privacy implications of these devices.
In addition to data privacy concerns, the devices themselves may be less secure than expected. Some may use old operating systems and hardware, lack sufficient device update functionality, have hard-coded passwords, and, most often, transfer data indiscriminately and insecurely. The lack of security and privacy standards for IoT devices definitely introduces risk for the average households and businesses that use them.
Data Privacy Day is a global annual event that commemorates the January 28, 1981, signing of Convention 108, the first legally binding international treaty addressing privacy and data protection. In the United States, the National Cyber Security Alliance (NCSA) encourages all people to “Own Your Privacy” by learning how to protect your personal data. NCSA offers a number of different resources to help you manage your privacy on devices and online services.
Vantage has been a proud Data Privacy Day Champion for several years. Keeping with this year’s theme, we encourage individuals and businesses to “Own Your Privacy” on IoT devices. Protecting your data and securing these devices is especially important as these devices continue to proliferate. Cisco predicts that, in 2021, there will be 27.1 billion networked devices in use around the world, up from 17.1 billion devices just 4 years ago. That’s about 3.5 networked devices for every person on earth. As processors grow smaller and less expensive, and networking technologies become more available, this number of connected devices can only be expected to rise.
To protect yourself, your data, and your IoT devices on Data Privacy Day, you can take the following actions:
- If you can, change the default usernames and passwords on your IoT devices. If your IoT devices offer two factor authentication, use it.
- Disable any features of the device that you do not need–especially features that allow multiple devices to share data with third parties.
- Understand how the device collects data and limit the amount of data it collects to only what you need to use the device comfortably.
- If the device collects a history, consider deleting it regularly.
- Make sure that you install updates promptly when you receive them, especially if the patch is to remedy a security flaw.
- Read the “Terms and Conditions” for services, devices, and apps every single time and understand what you are agreeing to.
If you wish to learn more about data privacy and security and the Internet of Things, we recommend the following resources:
- Video: Smart Devices Need Smart Security
- What You Need to Know to Secure Your IoT Devices
- Careful Connections: Keeping the Internet of Things Secure (for IoT developers)
This blog was authored by Associate Vice President Joanna Lyn Grama, who advises clients on information security policy, compliance, governance, and data privacy issues as part of Vantage’s Strategic Planning and Technology Management practice. Leader of Vantage’s Information Security Practice, Joanna is a proud owner of a connected teakettle, but drew the line at having a connected washer and dryer.