Responding to the rise of interconnected technology, the National Institute for Standards and Technology (NIST) has recently issued an introductory document in a planned series of cybersecurity publications addressing Internet of Things (IoT) privacy risks.  Open for comment through October 24, 2018, the Draft NISTIR 8228, Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks aims to increase awareness of federal agencies and other organizations concerning the cybersecurity and privacy risks related to IoT devices throughout their lifecycles.  NIST intends for NISTIR 8228 to be a high-level baseline publication for IoT device risk mitigation since few recommendations can apply to all IoT concerns due to the myriad uses for and types of IoT devices.  NIST plans to issue subsequent publications that provide more detailed recommendations for certain IoT device categories.  Notably though, Appendix A of the Draft NISTIR 8228 lists examples of possible universal IoT risk mitigation recommendations.

In the Draft NISTIR 8228, NIST highlights the unique risks that IoT devices present since they interact differently with information systems compared to traditional IT devices.  In addition, NIST raises the concern that many organizations are not aware of the large volume of IoT devices functioning within their information system environment, as well as how IoT devices can affect cybersecurity and privacy risk management, especially in terms of risk response.  The Draft NISTIR 8228 presents the following three risk mitigation goals for organizations:

  • Protect device security by preventing devices from being used to conduct attacks;
  • Protect data security by safeguarding the confidentiality, integrity, and availability of data handled by the device, including personally identifiable information (PII); and
  • Protect the privacy of individuals impacted by PII processing.

This draft publication is a much-anticipated addition to the NIST regulatory compendium, as IoT interfacing shows no signs of ceasing.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Cheryl A. Falvey Cheryl A. Falvey

Cheryl A. Falvey helps clients launch innovative new products while protecting their brand and reputation, avoiding and defending liability in the marketing of their products, building safety and security into their products with science-based risk assessment, and successfully navigating product safety challenges with…

Cheryl A. Falvey helps clients launch innovative new products while protecting their brand and reputation, avoiding and defending liability in the marketing of their products, building safety and security into their products with science-based risk assessment, and successfully navigating product safety challenges with rapid response.

An experienced trial lawyer, and a former general counsel of the United States Consumer Product Safety Commission (CPSC), Cheri defends class actions, unfair competition, product liability and other mass tort claims arising out of consumer, occupational, and environmental exposures. She also provides brand and consumer protection counseling services, with a focus on product safety and security, including the Internet of Things; privacy; anti-counterfeiting; and digital media. Cheri represents a wide range of clients, from emerging companies to multinational Fortune 500 conglomerates.

Cheri is widely recognized as a leader in her field. She is one of an elite group of attorneys to be ranked in Chambers USA, Band 1 for Product Liability: Regulatory. She is highly regarded for her considerable experience advising clients on regulatory issues, including risk assessments, product recalls and CPSC investigations.

She represents clients on litigation and counseling matters regarding:

  • Compliance with statutes and regulations enforced by the CPSC, FDA, NHTSA, and the FTC.
  • Handles product recalls conducted in cooperation with NHTSA, CPSC, and FDA, and defends clients in agency enforcement actions seeking civil and criminal penalties.
  • Advises manufacturers faced with the potential release of unfair and inaccurate information by the government.
  • Counsels and defends clients on the sale and marketing of consumer products on the Internet, including compliance with the Children’s Online Privacy Protection Act, the FTC’s Green Guides, and state and federal privacy laws.

Prior to joining Crowell & Moring, Cheri served as the general counsel of the CPSC. In that capacity, she oversaw all federal court litigation, including civil and criminal cases referred by the Commission to the Department of Justice. Her tenure at the CPSC included advising the agency on the implementation of the Consumer Product Safety Improvement Act, a sweeping change to its statutes that had an impact across diverse industry sectors.

Cheri serves as Vice -chair of the American Bar Association’s Consumer Products Regulation Committee, Administrative Law & Regulatory Practice Section. She was named to the National Law Journal’s 2014 list of Governance, Risk & Compliance Trailblazers & Pioneers. Prior to joining the CPSC, Cheri had over 20 years of private practice experience as a partner with another international law firm where she chaired the firm’s D.C. litigation practice. Cheri is also a former member of Crowell & Moring’s Management Board.

Photo of Kate M. Growley, CIPP/G, CIPP/US Kate M. Growley, CIPP/G, CIPP/US

Kate M. Growley (CIPP/US, CIPP/G) is a director in Crowell & Moring International’s Southeast Asia regional office. Drawing from over a decade of experience as a practicing attorney in the United States, Kate helps her clients navigate and shape the policy and regulatory…

Kate M. Growley (CIPP/US, CIPP/G) is a director in Crowell & Moring International’s Southeast Asia regional office. Drawing from over a decade of experience as a practicing attorney in the United States, Kate helps her clients navigate and shape the policy and regulatory environment for some of the most complex data issues facing multinational companies, including cybersecurity, privacy, and digital transformation. Kate has worked with clients across every major sector, with particular experience in technology, health care, manufacturing, and aerospace and defense. Kate is a Certified Information Privacy Professional (CIPP) in both the U.S. private and government sectors by the International Association of Privacy Professionals (IAPP). She is also a Registered Practitioner with the U.S. Cybersecurity Maturity Model Certification (CMMC) Cyber Accreditation Body (AB).

Photo of Michael G. Gruden, CIPP/G Michael G. Gruden, CIPP/G

Michael G. Gruden is a counsel in Crowell & Moring’s Washington, D.C. office, where he is a member of the firm’s Government Contracts and Privacy and Cybersecurity groups. He possesses real-world experience in the areas of federal procurement and data security, having worked…

Michael G. Gruden is a counsel in Crowell & Moring’s Washington, D.C. office, where he is a member of the firm’s Government Contracts and Privacy and Cybersecurity groups. He possesses real-world experience in the areas of federal procurement and data security, having worked as a Contracting Officer at both the U.S. Department of Defense (DoD) and the U.S. Department of Homeland Security (DHS) in the Information Technology, Research & Development, and Security sectors for nearly 15 years. Michael is a Certified Information Privacy Professional with a U.S. government concentration (CIPP/G). He is also a Registered Practitioner under the Cybersecurity Maturity Model Certification (CMMC) framework. Michael serves as vice-chair for the ABA Science & Technology Section’s Homeland Security Committee.

Michael’s legal practice covers a wide range of counseling and litigation engagements at the intersection of government contracts and cybersecurity. His government contracts endeavors include supply chain security counseling, contract disputes with federal entities, suspension and debarment proceedings, mandatory disclosures to the government, prime-subcontractor disputes, and False Claims Act investigations. His privacy and cybersecurity practice includes cybersecurity compliance reviews, risk assessments, data breaches, incident response, and regulatory investigations.