By Kathleen Fultz
The Internet of Things (IoT, think Internet-enabled devices) market is expanding, as are conversations on how to regulate it. In the water treatment industry, we have held education sessions on the IoT during past Water Quality Association conventions and we are seeing new technologies embrace the benefits of connectivity. Many existing regulations on data collection, privacy and personal information protection are not always applicable to today’s technology. To adjust, governments are forming new regulatory frameworks with varying strategies.
Approach to IoT in the United States
In the United States, at the federal level, there were two proposed bills introduced to Congress in 2019, House Bill 1668 and Senate Bill 734, encouraging increased cybersecurity of IoT devices. Multiple federal agencies are also looking at these technologies. The Federal Communications Commission (FCC) regulates radio frequency devices in electronic products and requires all wireless devices sold in the country go through the FCC approval process. The Federal Trade Commission has published best practices for connected device manufacturers on protecting user data. In addition, the Commerce Department’s National Telecommunications and Information Administration is developing guidance for these manufacturers on informing consumers about security updates. There is also a task force under the Commerce Department on Internet Policy, examining the opportunities and challenges of IoT devices and suggestions on the role of government.
States can also set their own requirements. In the state of California, Senate Bill 327 was enacted in September 2018 and becomes effective January 1, 2020. IoT device manufacturers will need to ensure devices have reasonable security features to protect user information. This applies to any device able to connect to the Internet and be assigned an Internet protocol (IP) or Bluetooth address. In the bill, one reasonable security feature for connected devices is a unique, pre-programed password to each manufactured device or a step during setup for the consumer to establish a new authentication password before given access for the first time.
In other countries, the national agency or commission on communications and media or radio is commonly the regulatory body looking at or overseeing IoT devices. For example, in Japan the National Institute of Information and Communications Technology (NICT) as well as the Ministry of Internal Affairs and Communications are working on IoT initiatives. In South Korea, there is the National Radio Research Agency and in Taiwan it’s the National Communications Commission.
A few countries have working groups collaborating between their communications agency and business agency. In Japan, the Ministry of Internal Affairs and Communications and the Ministry for Economic, Trade and Industry have collaborated on IoT security working groups to discuss the advancement of connected devices in society. There are also niche groups, some operating through the government and others through the private sector. In Australia, there is the Internet of Things Alliance Australia; in Europe, there is the European Union Agency for Network and Information Security and New Zealand has an Internet of Things Alliance.
The European Union and countries like Australia, Japan, New Zealand and the United Kingdom have published frameworks on security for connected devices. The United Kingdom’s framework includes resources for consumers on smart homes. Moving from a framework to adopted policies, in the European Union, there are regulations covering IoT devices, with requirements for radio equipment using Wi-Fi, Bluetooth and GPS. There is also the General Data Protection Regulation, harmonizing privacy laws. In Canada, the country has adopted the Personal Information Protection and Electronic Documents Act as its federal privacy law.
In Japan, to gather more information on connected devices the NICT will, beginning in 2020 and ending in 2022, test the security of consumer and business connected devices in Japan. This National Operation Towards IoT Clean Environment (NOTICE) study is looking for devices with weak security and user alerts.
In the coming years, with the increase of IoT devices on the market and a consumer demand for more Wi-Fi- and/or Bluetooth-equipped technology, governments will be deciding how regulations will play a role. This will impact businesses that have or are considering inclusion of IoT products in their line-up of offerings. Stay tuned to WQA education for updates and information that will be critical for your businesses.
About the author
Kathleen Fultz is the Regulatory and Government Affairs Coordinator for the Water Quality Association, located in Lisle, IL. She works on regulatory and government relations activities for the association and oversees the Regulatory Info Search database on WQA’s website. Prior to this position, Fultz interned with WQA and focused on gathering regulatory resources to build a regulatory database for members. The database now contains over 1,200 summaries and links to regulations, codes and laws from the local, state and federal levels of government in the US and Canada.
About the organization
WQA is a not-for-profit international trade association representing the residential, commercial and industrial water treatment industry. WQA is a resource and information source, a voice for the industry, an educator of professionals and a laboratory for product testing.