Almost 20 years have passed since technology pioneer Kevin Ashton first coined the phrase Internet of Things (IoT) in a 1999 presentation for Procter & Gamble (Kevin Ashton, “Beginning the Internet of Things,” Medium (March 18, 2016). The Internet of Things consists of physical items that collect information through sensors or chips and then share that information with other devices through the Internet or other networks. Since the introduction of the term, the growing network of these connected devices (expected to reach 30 billion devices by 2020) has created tremendous possibilities. Today, we have phones that provide limitless information at our fingertips, health care devices that can instantly share a patient’s vital statistics to save precious response time, and we are on the cusp of self-driving cars that promise mitigation, if not elimination, of human driving error. Yet, each device added to the internet creates opportunity for a malicious attack or hacking.

The state of IoT regulation is patchwork at best. Although most applicable federal regulations are enforced by the Federal Trade Commission (FTC), there are no comprehensive regulations or laws for IoT devices. The lack of clear and unambiguous standards to govern IoT security leaves IoT innovators wrestling to identify what standards should be achieved. This, in turn, can lead to security shortfalls. Congress is considering three pieces of legislation to help solve this dilemma. However, as discussed below, while each bill addresses some problems, none resolves all of the issues.

The Pending Legislation