Executive Order Launches Cybersecurity Labeling Regime for Consumer Products
The Biden Administration's Executive Order directs the Department of Commerce and the Federal Trade Commission to establish pilot programs to develop product labels that inform consumers about the cybersecurity capacities of commercially available software and Internet-of-Things ("IoT") devices.
On May 12, 2021, President Biden issued a sweeping Executive Order aimed at improving the nation's cybersecurity. Section 4 tasks the Department of Commerce's National Institute of Standards and Technology ("NIST") with creating pilot programs that will formulate criteria for product labels to educate consumers about the cybersecurity capacities of commercially available software and IoT devices (that is, devices that are connected to the internet, such as baby monitors, smart locks, and cameras). We previously discussed the portions of this Executive Order that concern U.S. Government contractors in this Commentary.
The Administration's stated goal in creating a cybersecurity-labeling regime is to enable "the government—and the public at large—[to] quickly determine whether software was developed securely." The Order requires NIST to collaborate with the Federal Trade Commission to develop these cybersecurity criteria. The Order provides that the labels should be designed for easy comprehension by consumers and ready adoption by the private sector. NIST must publish the pilot programs' findings early next year.
Although the pilot programs will not mandate companies to use these labels, their development presages new expectations for sellers of software and IoT devices. Sellers often do not address cybersecurity in marketing their products, but the labeling regime may incent them competitively to do so. This development, in turn, may induce companies to strengthen cybersecurity in designing their products—likely the underlying objective of the program.
The proposed labeling regime presents legal risk for companies that choose to participate. The FTC has a history of enforcement actions against companies for making deceptive statements about cybersecurity. The labelling regime will provide new opportunities for the FTC, as well as state consumer protection regulators and class action lawyers, to pursue companies for deceptive practices if their software or IoT devices fail to meet the claimed criteria.
Not only will the labels that emerge from this process carry the government's imprimatur, they may also become required for federal procurement contracts. The federal government implemented a similar program for cloud services—known as the Federal Risk and Authorization Management Program, or FedRAMP—whose certifications are required under many government contracts and often touted to private-sector consumers as well. President Biden's Order may generate a similar dynamic here.
Jones Day publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information purposes only and may not be quoted or referred to in any other publication or proceeding without the prior written consent of the Firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our “Contact Us” form, which can be found on our website at www.jonesday.com. The mailing of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship. The views set forth herein are the personal views of the authors and do not necessarily reflect those of the Firm.