[Congressional Bills 115th Congress]
[From the U.S. Government Publishing Office]
[S. 2234 Introduced in Senate (IS)]

<DOC>






115th CONGRESS
  1st Session
                                S. 2234

   To require the Federal Trade Commission to develop cybersecurity 
 resources for consumer education and awareness regarding the purchase 
  and use of devices that are part of the Internet of Things, and for 
                            other purposes.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                           December 14, 2017

Mr. Wicker (for himself and Ms. Hassan) introduced the following bill; 
    which was read twice and referred to the Committee on Commerce, 
                      Science, and Transportation

_______________________________________________________________________

                                 A BILL


 
   To require the Federal Trade Commission to develop cybersecurity 
 resources for consumer education and awareness regarding the purchase 
  and use of devices that are part of the Internet of Things, and for 
                            other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Internet of Things Consumer Tips to 
Improve Personal Security Act of 2017''or the ``IOT Consumer TIPS Act 
of 2017''.

SEC. 2. FINDINGS.

    Congress finds the following:
            (1) The term ``Internet of Things'' refers to devices, 
        applications, and physical objects that are Internet-enabled, 
        networked, or connected.
            (2) The devices that are part of the Internet of Things are 
        equipped with sensors or developed with automated 
        functionalities that allow them to collect, send, or receive 
        data, and perform according to consumer preferences that 
        enhance productivity, efficiency, and convenience.
            (3) The rapid adoption of the Internet of Things among 
        consumers and businesses is driven by the wide range of 
        economic and societal benefits that are generated by such 
        devices across almost every industry and sector.
            (4) Consumer trust in the security of the Internet of 
        Things is paramount to the leadership and competitiveness of 
        the United States in the global digital economy.
            (5) It is the policy of the United States to encourage 
        innovation in the development and use of the Internet of Things 
        and empower consumers to be responsible digital citizens and 
        manage the security of their devices in collaboration with 
        manufacturers, sellers, and service providers.

SEC. 3. FEDERAL EDUCATIONAL CYBERSECURITY RESOURCES FOR CONSUMERS 
              REGARDING DEVICES THAT ARE PART OF THE INTERNET OF 
              THINGS.

    (a) Definitions.--In this section--
            (1) Covered device.--The term ``covered device''--
                    (A) includes devices, applications, and physical 
                objects that are--
                            (i) part of the Internet of Things; and
                            (ii) marketed and sold primarily to 
                        consumers; and
                    (B) does not include--
                            (i) devices that are marketed and sold for 
                        use primarily in industrial, business, or 
                        enterprise settings; or
                            (ii) smartphones, tablets, personal 
                        computers, or devices leased to consumers by 
                        multichannel video programming distributors.
            (2) Cybersecurity threat.--The term ``cybersecurity 
        threat'' has the meaning given to the term in section 102 of 
        the Cybersecurity Information Sharing Act of 2015 (6 U.S.C. 
        1501).
            (3) Security vulnerability.--The term ``security 
        vulnerability'' has the meaning given to the term in section 
        102 of the Cybersecurity Information Sharing Act of 2015 (6 
        U.S.C. 1501).
    (b) Development of Educational Cybersecurity Resources.--Not later 
than 1 year after the date of enactment of this Act, the Federal Trade 
Commission shall, in coordination with the National Institute of 
Standards and Technology and relevant private sector stakeholders and 
experts, develop voluntary educational cybersecurity resources for 
consumers relating to the practices of consumers with respect to the 
protection and use of covered devices, including citing evidence of 
consumer attitudes and expectations.
    (c) Elements.--The voluntary resources developed under subsection 
(b) shall be technology-neutral and include guidance, best practices, 
and advice for consumers to protect against, mitigate, and recover from 
cybersecurity threats or security vulnerabilities, where technically 
feasible, including--
            (1) the scope of possible security support from a vendor 
        post-purchase;
            (2) how to initiate or set up a covered device for use;
            (3) the use of passwords, available security tools and 
        settings, appropriate physical controls, and avoidance of steps 
        that can defeat security;
            (4) updates to the software of a covered device during 
        operation or use if applicable;
            (5) the recovery of compromised devices;
            (6) end-of-life considerations such as resetting, deleting, 
        or modifying data collected or retained by a covered device 
        when it is no longer in use or expected to be used by the 
        consumer;
            (7) security services, tools, or platforms for connected 
        devices that may help consumers manage connected devices; and
            (8) varying security considerations depending on factors, 
        including the type of device and setting of use.
    (d) Availability and Publication.--The Federal Trade Commission 
shall ensure that the resources developed under subsection (b) are 
available to and readily accessible by the public on the Internet 
website of the Federal Trade Commission.
    (e) Periodic Updates.--The Federal Trade Commission shall review, 
and, as necessary update the resources developed under subsection (b), 
in collaboration with industry stakeholders, to address changes in 
cybersecurity threats or security vulnerabilities and other technology 
developments or challenges.
    (f) Voluntary Use.--The resources developed under subsection (b) 
shall be for voluntary use by consumers.
    (g) Treatment.--No guidelines, best practices, or advice issued by 
the Federal Trade Commission with respect to the resources developed 
under subsection (b) shall confer any right on any person, State, or 
locality, nor shall operate to bind the Federal Trade Commission or any 
person to the approach recommended in such guidance, best practice, or 
advice. The Federal Trade Commission may not base an enforcement action 
on, or execute a consent order based on, any failure to promote or use 
such guidance, or any practice used for covered device functionality 
that is alleged to be inconsistent with any guidance, best practice, or 
advice included in the resources developed under subsection (b), unless 
the practice allegedly violates another provision of law. Nothing in 
this Act is intended to limit the ability of the Federal Trade 
Commission to enforce section 5 of the Federal Trade Commission Act (15 
U.S.C. 45).
                                 <all>