by Samuel G. Bieler
This is the second in a two-part series exploring what drives weak cybersecurity in consumer IoT devices. The first part may be found here.
Poor regulation of the consumer IoT electronics sector compounds the negative market incentives discussed in the first part of this series. While standards for IoT devices are taking shape in some sectors of the U.S. economy, no similar regime has been developed for the broad consumer IoT electronics market. Moreover, little expert consensus has developed as to what such a regime would look like even if the political will existed to implement it. Such a regime would also have to contend with the challenges of regulating a market where many key actors are overseas. These challenges need not pose an insuperable barrier to developing a sound regulatory regime but do suggest that far more thought needs to be put into understanding what IoT regulation would actually look like. Continue reading
by Samuel G. Bieler
This is the first in a two-part series exploring what drives weak cybersecurity in consumer IoT devices. The second part may be found here.
Cybersecurity in U.S. consumer Internet of Things (“IoT”) electronics is remarkably weak and this vulnerability is driven, in large part, from the economics behind these devices. Consumers lack the knowledge to make cybersecurity-informed purchasing decisions even if they are willing to do so – and many are not, particularly for low-end items. This means manufacturers are not rewarded for building good cybersecurity into their devices and may even be punished. Developers who take the time to build security into their devices may lose the race to the market and the advantages that come with getting a product there first. Collectively, these factors make it unlikely that market dynamics alone will improve cybersecurity in the consumer IoT market. Policy interventions will be necessary to mitigate some of these economic incentives.
The consumer IoT electronics market consists of devices designed for daily household use, whose primary purpose is not internet-enabled communication or browsing. This narrow definition cabins the analysis of the IoT sector to a ubiquitous and problematic set of products. It includes everyday goods like baby-monitors, refrigerators, and even toasters whose operation is enhanced with or facilitated by an internet connection. It excludes goods not used in the home like cars with internet capabilities or components of complex industrial systems (PDF: 3.66 MB). Continue reading
by Joshua Pirutinsky
Sometimes the unexpected happens. But preparing for the unexpected is the essence of the compliance function. The failure to effectively prepare for risks unrelated to your core business can be disastrous. A seemingly innocuous compliance breach could disqualify your firm from participating in a private offering of securities under Rule 506(d), known as the “Bad Actor” Disqualification. Being a Bad Actor can have detrimental, if not fatal, consequences for your firm – hence the critical importance of making known certain unknowns. Continue reading
by Jason Driscoll
This post is the second part of a two-part post by the author.
In my previous post (DeCoster v. United States: Testing the Limits of the Responsible Corporate Officer Doctrine), I discussed how the Food and Drug Administration (“FDA”) and the Department of Justice (“DOJ”) have revived the Responsible Corporate Officer (“RCO”) doctrine in an attempt to increase compliance with the Federal Food, Drug, and Cosmetic Act (“FDCA”). In light of the incarcerative sentences in the Quality Egg case, I addressed the DOJ’s new strategy of seeking enhanced sanctions in RCO cases. In United States v. Quality Egg, LLC, the government brought FDCA Section 333(a)(1) misdemeanor food adulteration cases against two corporate officers—Jack and Peter DeCoster—ultimately securing three-month prison sentences premised largely on the RCO doctrine. On appeal, the DeCosters argued that the incarcerative sentences violated due process absent evidence of mens rea or actus reus. The Eighth Circuit affirmed the sentences, however, holding that a three-month strict liability prison sentence was “relatively light” doing “no grave damage” to an offender’s reputation. A petition for a writ of certiorari followed, inviting the Supreme Court to review the doctrine for the first time since 1975, but was denied. Continue reading
by Natalie Noble
The importance of establishing a robust “culture of compliance” within corporations is a common refrain among government regulators. But developing a structured process, much less a firm definition, around such a squishy concept can be a daunting task for compliance officers. At its core, an effective culture of compliance should shape employees’ gut instincts by reinforcing values that weigh against breaking the law. To accomplish this, companies should supplement their traditional ethics trainings and “tone at the top” by integrating compliance factors into their incentives programs and forestalling ethical fading. As an additional line of defense, companies should actively encourage employees to slow down and think methodically about their decisions before they take final action. Continue reading
by Peter Varlan
Despite the increase in cyberattacks and data breaches against large corporations, directors have avoided personal liability. In three recent data breaches—Wyndham, Target, and Home Depot—shareholders have unsuccessfully brought derivative claims against directors. These Caremark claims against directors have failed because oversight duties for cybersecurity are not yet specific enough to establish that directors deliberately breached a known duty of care.
The current protection that directors have enjoyed from cybersecurity-related Caremark suits may soon come to an end. New and pending regulations from the New York Department of Financial Services and the Federal Reserve System provide more specific cybersecurity guidance for corporations. Failing to comply with these more detailed regulations prior to a cyberattack may increase the possibility that directors will be held liable for violating their Caremark oversight duties. Accordingly, directors should familiarize themselves with these new regulations that are applicable to the corporations they serve, and develop best practices to both protect corporate data and inoculate themselves from personal liability. Continue reading
by Jason Driscoll
This post is the first part of a multi-part post by the author.
Over the last decade, the Food and Drug Administration and the Department of Justice have revived the use of the Responsible Corporate Officer (“RCO”) doctrine in an attempt to increase compliance with the Food, Drug, and Cosmetic Act (“FDCA”). Two recent cases—United States v. Purdue Frederick Co. and United States v. Quality Egg, LLC—illustrate the regulators’ new approach: impose strict criminal liability on individual corporate officers and seek enhanced sanctions in the name of effective deterrence. However, while the Supreme Court has upheld criminal fines premised on the RCO doctrine, the Court has not yet opined on the legality of more serious penalties such as long-term debarment or imprisonment. The Court now has that opportunity. In DeCoster v. United States, the Quality Egg defendants (Jack and Peter DeCoster) have filed cert. petitions asking the Court to review the lawfulness of their prison sentences and the RCO doctrine altogether. For anyone concerned about the expanding scope of corporate officer liability, this case could mark a turning point. Continue reading