Loyola University Chicago School of Law, JD 2025
Connectivity has become our way of life. For Apple users, iPhones, MacBooks, iPads, and Apple Watches are interconnected with one touch. For Android enthusiasts, Samsung has developed the ‘SmartThings’ app, enabling users to seamlessly control Smart TVs, monitors, and refrigerators from one device. With the proliferation of ‘Smart Home’ technology, products are being integrated into our everyday lives like no other. Whether it be Google Home products like Google Nest thermostats or the Ring Home Security System – we are able to save energy and protect our most valuable possessions from any device no matter its operating system. Nevertheless, from a B2B standpoint, IoT provides businesses the opportunity understand predictive maintenance of their devices, optimize supply chains, and develop stronger customer relationships.
Therefore, the evidence is clear from industry-to-industry: the benefits of IoT are abundant. But what exactly does IoT entail, and what compliance guidelines are in place to protect consumer use? As the landscape expands and new products enter the market, organizations are tasked with developing innovative compliance solutions for an equally contemporary technology platform.
What is IoT?
IoT or the Internet of Things describes the network relationship between different devices. How it works is different devices (for example, phones, TVs, household appliances, vehicles, and personal accessories) are embedded with sensors, software, and other technologies for the purpose of connecting and sharing data with other devices and platforms over the internet.
This blend of hardware built with the ability to transmit data to other devices allows for cohesive communication that can then be analyzed to perform a variety of tasks autonomously. IoT is important because not only does it offer convenience for users, but it also improves efficiency and cost savings. For example, individuals and businesses are able to reduce energy costs associated with the heating and cooling of their homes or offices and farmers and agriculturists can save on the amount of water used to feed their crops.
IBM, a global technology company, has published insights on how different industries can benefit from integrating solutions from the IoT universe. For example, with healthcare, IoT can be used to remotely monitor patients and collect real-time data on vital signs. With manufacturing, IoT devices can be used to monitor machine performance and detect equipment failures in advance and adjust production processes in real time in response. Finally, regarding the transportation industry, IoT devices can be used to monitor fuel efficiency of connected cars and vehicle performance, automatically optimizing routes and tracking shipments.
As IBM also notes, with these benefits come an increase in risks and challenges. Some risks of note that organizations and individuals must keep in mind are the security and privacy of their devices, data overloads on software, and regulatory and legal requirements as they develop.
What ‘compliance’ looks like in the IoT landscape
With the diversity of application across industries, government organizations and regulatory bodies have stepped in to manage these risks.
For example, the Payment Card Industry Security Standards Council (PCI SSC), a private regulatory body formed by industry leaders in the payments space, has developed a ‘Baseline Approach to IoT Security Design’ for IoT devices being deployed within business environments where payments are processed. The PCI SSC was created in 2006 by four major credit-card companies; Visa, MasterCard, Discover and American Express. Their mission is to enhance payment card data security and they do this by publishing comprehensive standards and supporting materials to help companies ensure the security of cardholder information. The main tenant of PCI SSC’s IoT compliance philosophy is for organizations to tailor system controls to long-standing payment card industry requirements. In doing so, the council allows organizations to better monitor IoT assets and fix issues as they arise.
Similarly, in August of this year, the Federal Communications Commission (FCC), issued a Notice of Proposed Rulemaking (NPRM) on the labeling for IoT devises. The FCC is an independent U.S. government agency that oversees interstate and international communications by radio, television, wire, satellite and cable in the United States, DC, and U.S. territories. The NPRM proposes a voluntary labeling program where organizations would provide information to consumers about the relative security of a smart device or product. In turn, devices bearing the Commission’s proposed label would be recognized as adhering to certain cybersecurity practices. The Commission already provides a fact sheet detailing guidance for organizations on how to provide clear information about the security of their internet-enabled devices.
Despite its voluntary nature, a recent article by In Compliance signals the significance of the FCC’s NPRM, given the economic outlook of the IoT market. According to the compliance news organization, more than 25 Billion devices will be connected to the internet by 2030, creating a plethora of openings for threat actors to compromise systems and devices. Thus, manufacturers, testing labs, and certification bodies must act with haste to implement these recommended measures – by both the PCI SSC and FCC when making new products.
Overall, the benefits that IoT offers are too great to name, and the new ways in which our lifestyles change in response to the integration of different smart devices will only further unfold over time. As the IoT ecosystem broadens, the evidence of today in rule changes and updated control frameworks suggest that every new advancement will be coupled with a new form of compliance.