This year’s Data Privacy Week theme is “take control of your data.” That can be really challenging to do. Data is collected from everywhere—whether online or offline—and can be stored and used indefinitely (even if the quality of the data is no longer good due to age). While not quite the same as a privacy label, the new U.S. Cyber Trust Mark can help consumers make informed decisions to keep their data out of the hands of criminal enterprises…at least for wireless consumer Internet of Things (IoT) products.
The U.S. Cyber Trust Mark was officially launched earlier this month, with a trademarked logo, administrative rules, and conditional approval of private label administrators. The concept behind the Cyber Trust Mark is similar to other easy-to-read consumer notifications, like the Nutrition Facts label on food products, the EnergyStar label for appliances, or the Monroney label (window sticker) on cars. However, unlike some of these consumer notifications, the Cyber Trust Mark program is voluntary. For a company to place the logo on a product, the product must be tested by an accredited lab and meet certain cybersecurity standards.
Consumers will start seeing the Cyber Trust Mark placed on various IoT devices—ranging from home security cameras to smart appliances to fitness trackers to baby monitors—this year. Any product bearing the Cyber Trust Mark will also have a QR code that links to a registry of information about the security of the product, including how to change the default password, how to configure the device, the support period for the product, and whether software patches and security updates are automatically downloaded. Certain products are not eligible to receive a Cyber Trust Mark, including medical devices, motor vehicles, and wired devices. Products primarily used for business purposes are also not included in the program.
Businesses that manufacture IoT products that are eligible for the program need to have their product tested by a CyberLAB and submit an application to a Cybersecurity Label Administrator for approval. Although the program was officially announced, the standards and testing procedures are still going through a stakeholder engagement process and public notice period.
In summary, if your business manufactures IoT devices, get involved in the process now. If you haven’t already, start reviewing NIST and ICO standards so that, in the next few months, you will be able to apply for a Cyber Trust Mark.
If you have questions about the U.S. Cyber Trust Mark or any other privacy or security framework, please contact our privacy & data security team.
This article is provided for informational purposes only—it does not constitute legal advice and does not create an attorney-client relationship between the firm and the reader. Readers should consult legal counsel before taking action relating to the subject matter of this article.
