Makers of internet-connected devices — from kitchen appliances, to fitness trackers, to automobiles — argue that policymakers should not enact strict mandates on data security and privacy that could dampen innovation in their evolving industry, and to that end, first-of-its-kind California legislation might seem to be ideal.

But the would-be law’s flexibility could invite security gaps that might imperil consumers’ privacy and make the devices — and the companies that make them — vulnerable to cyberattack, attorneys say.

The bill also would compel manufacturers to pay more attention to security at the design phase, and provide notice to consumers in several ways, “through the use of words or icons on the device’s packaging, or on the product’s packaging or on the manufacturer’s internet website.” The notices would detail how consumers could get security patches and updates and whether the device is capable of gathering audio, video, location, biometric, health and other sensitive user information; and how frequently that information is collected.

The deployment of new ways to alert consumers about privacy and security risks could end up leading to more legal liability as well, attorneys say.

“For manufacturers, the primary risk they’re going to have is in the disclosure requirements that this bill would mandate,” said Philip Yannella, privacy and data security co-practice leader with Ballard Spahr LLP. “If there is some type of notorious data breach that involves a connected device and the manufacturer has made disclosures about the reasonableness of its data security, that can become a target for plaintiffs’ lawyers who may assert consumer fraud-type theories.”

Read the full article here. Subscription may be required.

Related Practice