Consumers are expecting more from products they have used for decades, seeking additional control over devices ranging from refrigerators to cars to fire alarms. And the Internet of Things (“IoT”), which involves the inclusion of limited data processing and software functionality in everyday devices connected to the internet, has allowed people to set their refrigerator temperature remotely from their phone and monitor their car from afar.
But the limited nature of IoT devices means that they have been notoriously vulnerable to cyber attack. The European Union believes that regulating IoT devices can solve this problem. Other countries, the U.S. among them, are sceptical about the utility of regulation in this fast-moving industry.
The EU Cybersecurity Act
The EU plans to exert pressure on IoT device manufacturers through the EU Cybersecurity Act, which, as currently constructed, would create a single certification scheme for information communications technology (“ICT”) devices. On June 8, the Council of the EA agreed on its position for the proposal, which allows for future deliberation within the European Parliament. If the Council and the Parliament agree, the Act will become law.
The stated goal for the Act is to build consumer trust in IoT products while continuing construction of a single EU digital marketplace. The second goal is difficult given that many individual EU member states already have their own cybersecurity certification rules. The push for certification also goes hand in hand with the EU’s Network Infrastructure Security Directive (“NISD”), which went into effect in May 2018 and is designed to protect important sectors such as banking, energy and technology from cyber attacks. NISD includes standards to prevent data breaches and quickly and efficiently confront problems as they occur. It also calls for penalties set by each EU member state for companies that either lack sufficient security protections or fail to notify authorities of breaches.
The Act would also increase the authority of the EU Agency for Network and Information Security (“ENISA”) and make it a permanent EU-wide cybersecurity agency. Currently, ENISA serves as a body of experts voluntarily consulted on cybersecurity matters. But the Act would grant ENISA powers to support both member states and EU institutions on all cybersecurity issues and to conduct cybersecurity exercises. ENISA would also be responsible for carrying out certifications of IoT products. Under the Act as currently proposed, certifying products would be a voluntary exercise for companies unless otherwise stated in EU or specific member state law.
Under the Act, the European cybersecurity certification would: “attest that the ICT processes, products and services that have been evaluated in accordance with [the European cybersecurity certification framework] comply with specified security requirements with the aim to protect the availability, authenticity, integrity or confidentiality of stored or transmitted or processed data or the functions or services offered by, or accessible via, those protects, processes and services throughout their life cycle.”
Proposal 9350/18 (29 May 2018), Title III Cybersecurity Certification Framework, Article 43, ¶ 2. While the certification process has the laudable goal of increasing security for IoT devices, details are scarce on exactly what standards will be applied. The preliminary Act already details different levels of certification, ranging from “basic” to “substantial” to “high.”
But it remains unclear what standards whether different standards will be used for different kinds of devices. In other words, will cars be held to the same standard as refrigerators? More importantly, the Act does not explain how the certification will be renewed or checked throughout the “life cycle” of the IoT device, as set forth in Article 43. Would remote security updates be sufficient, or will verified security audits be necessary for continued certification? More than likely, the vague nature of the security specifications within the proposed Act is intentional, as the rapid nature of the development of ICT and IoT devices means that specific security requirements would become obsolete almost overnight. But clear standards will be necessary before the Act becomes law.
From a broader perspective, the Act raises two key legal questions. First, if the Act creates a new standard of safety for ICT and IoT devices, who will be held liable when a data breach occurs through a certified device? Second, how will the Act and the certification process impact cross-border data transfers between EU and non-EU countries?
Shield for Liability?
Currently, if a consumer in the EU has his or her personal data stolen through an ICT or IoT device, that consumer will pursue a remedy against the manufacturer of the device. But what if the Act passes and the device in question is certified as complying with the EU’s security requirements? Could the consumer hold the EU liable for a breach?
Nothing in the Act suggests that certification would shield an ICT or IoT manufacturer from liability for a data breach. However, given that lawsuits and complaints about events leading to data breaches often turn on whether the manufacturer acted reasonably in protecting the data at issue, certification under the Act would appear to be a key fact in that analysis. In addition, companies certifying their products under the Act would be working closely with ENISA, a body that could also be involved in the investigation of the data breach. Facts relating to a company’s cooperation with ENISA and other EU agencies in investigating and halting a breach could be used to show that the company acted reasonably and responsibly.
The danger to the EU would arrive through the labelling of products as “certified” to create a sense that they are secure and absolutely safe. While the Act makes clear that nothing can guarantee 100 per cent security, consumers may be drawn to certified products based on their belief that the information processed through such products is protected. If a breach occurs within or through a certified product, consumers may challenge the sufficiency of the Act, the standards for certification, or the processes through which ENISA ensures that the products meet the standards.
Another issue arises when one considers the origin and portability of so many ICT and IoT devices. Any time a U.S.-manufactured IoT device sends data from the EU to the U.S., regulatory issues must be navigated. The EU General Data Protection Regulation (“GDPR”) and NISD both regulate such cross-border transfers, but it is unclear at this point how the proposed Act will incorporate the principles of these regulations.
The United States is urging caution when it comes to regulating ICT and IoT devices. In a letter written by the U.S. Chamber of Commerce (among others) and addressed to the European Commission on the proposed Act, the U.S. implored the EU to avoid unnecessary regulation, eschew a one-size-fits-all approach to certification, and prevent creating a false sense of security through labelling certain products as “certified.” See https://www.uschamber.com/iot%26cybersecurity. The U.S. is pushing for policies based on “existing global, voluntary, consensus, and industry-driven standards” for cybersecurity as opposed to a black-and-white certification process.
If the Act passes and certification becomes a necessity to effectuate profitable sales of ICT and IoT devices in Europe, U.S manufacturers of such products may need to navigate the GDPR, the NISD, and the Act in concert. As the U.S. Chamber of Commerce seems to recognise, this could be costly. In any event, all companies involved in the ICT and IoT industry should follow closely the finalisation of the Act in the EU Council and Parliament.
John C. Eustice, member, Miller & Chevalier Chartered
Image Credit: Flickr / janneke staaks