
	

115 S2234 IS: Internet of Things Consumer Tips to Improve Personal Security Act of 2017
U.S. Senate
2017-12-14
text/xml
EN
Pursuant to Title 17 Section 105 of the United States Code, this file is not subject to copyright protection and is in the public domain.



		II
		115th CONGRESS1st Session
		S. 2234
		IN THE SENATE OF THE UNITED STATES
		
			December 14, 2017
			Mr. Wicker (for himself and Ms. Hassan) introduced the following bill; which was read twice and referred to the Committee on Commerce, Science, and Transportation
		
		A BILL
		To require the Federal Trade Commission to develop cybersecurity resources for consumer education
			 and awareness regarding the purchase and use of devices that are part of
			 the Internet of Things, and for other purposes.
	
	
		1.Short title
 This Act may be cited as the Internet of Things Consumer Tips to Improve Personal Security Act of 2017or the IOT Consumer TIPS Act of 2017.
 2.FindingsCongress finds the following: (1)The term Internet of Things refers to devices, applications, and physical objects that are Internet-enabled, networked, or connected.
 (2)The devices that are part of the Internet of Things are equipped with sensors or developed with automated functionalities that allow them to collect, send, or receive data, and perform according to consumer preferences that enhance productivity, efficiency, and convenience.
 (3)The rapid adoption of the Internet of Things among consumers and businesses is driven by the wide range of economic and societal benefits that are generated by such devices across almost every industry and sector.
 (4)Consumer trust in the security of the Internet of Things is paramount to the leadership and competitiveness of the United States in the global digital economy.
 (5)It is the policy of the United States to encourage innovation in the development and use of the Internet of Things and empower consumers to be responsible digital citizens and manage the security of their devices in collaboration with manufacturers, sellers, and service providers.
			3.Federal educational cybersecurity resources for consumers regarding devices that are part of the
			 Internet
			 of Things
 (a)DefinitionsIn this section— (1)Covered deviceThe term covered device—
 (A)includes devices, applications, and physical objects that are— (i)part of the Internet of Things; and
 (ii)marketed and sold primarily to consumers; and (B)does not include—
 (i)devices that are marketed and sold for use primarily in industrial, business, or enterprise settings; or
 (ii)smartphones, tablets, personal computers, or devices leased to consumers by multichannel video programming distributors.
 (2)Cybersecurity threatThe term cybersecurity threat has the meaning given to the term in section 102 of the Cybersecurity Information Sharing Act of 2015 (6 U.S.C. 1501).
 (3)Security vulnerabilityThe term security vulnerability has the meaning given to the term in section 102 of the Cybersecurity Information Sharing Act of 2015 (6 U.S.C. 1501).
 (b)Development of educational cybersecurity resourcesNot later than 1 year after the date of enactment of this Act, the Federal Trade Commission shall, in coordination with the National Institute of Standards and Technology and relevant private sector stakeholders and experts, develop voluntary educational cybersecurity resources for consumers relating to the practices of consumers with respect to the protection and use of covered devices, including citing evidence of consumer attitudes and expectations.
 (c)ElementsThe voluntary resources developed under subsection (b) shall be technology-neutral and include guidance, best practices, and advice for consumers to protect against, mitigate, and recover from cybersecurity threats or security vulnerabilities, where technically feasible, including—
 (1)the scope of possible security support from a vendor post-purchase; (2)how to initiate or set up a covered device for use;
 (3)the use of passwords, available security tools and settings, appropriate physical controls, and avoidance of steps that can defeat security;
 (4)updates to the software of a covered device during operation or use if applicable; (5)the recovery of compromised devices;
 (6)end-of-life considerations such as resetting, deleting, or modifying data collected or retained by a covered device when it is no longer in use or expected to be used by the consumer;
 (7)security services, tools, or platforms for connected devices that may help consumers manage connected devices; and
 (8)varying security considerations depending on factors, including the type of device and setting of use.
				(d)Availability and publication
 The Federal Trade Commission shall ensure that the resources developed under subsection (b) are available to and readily accessible by the public on the Internet website of the Federal Trade Commission.
 (e)Periodic updatesThe Federal Trade Commission shall review, and, as necessary update the resources developed under subsection (b), in collaboration with industry stakeholders, to address changes in cybersecurity threats or security vulnerabilities and other technology developments or challenges.
 (f)Voluntary useThe resources developed under subsection (b) shall be for voluntary use by consumers. (g)TreatmentNo guidelines, best practices, or advice issued by the Federal Trade Commission with respect to the resources developed under subsection (b) shall confer any right on any person, State, or locality, nor shall operate to bind the Federal Trade Commission or any person to the approach recommended in such guidance, best practice, or advice. The Federal Trade Commission may not base an enforcement action on, or execute a consent order based on, any failure to promote or use such guidance, or any practice used for covered device functionality that is alleged to be inconsistent with any guidance, best practice, or advice included in the resources developed under subsection (b), unless the practice allegedly violates another provision of law. Nothing in this Act is intended to limit the ability of the Federal Trade Commission to enforce section 5 of the Federal Trade Commission Act (15 U.S.C. 45).
