Text: S.2234 — 115th Congress (2017-2018)All Information (Except Text)

There is one version of the bill.

Text available as:

Shown Here:
Introduced in Senate (12/14/2017)


115th CONGRESS
1st Session
S. 2234


To require the Federal Trade Commission to develop cybersecurity resources for consumer education and awareness regarding the purchase and use of devices that are part of the Internet of Things, and for other purposes.


IN THE SENATE OF THE UNITED STATES

December 14, 2017

Mr. Wicker (for himself and Ms. Hassan) introduced the following bill; which was read twice and referred to the Committee on Commerce, Science, and Transportation


A BILL

To require the Federal Trade Commission to develop cybersecurity resources for consumer education and awareness regarding the purchase and use of devices that are part of the Internet of Things, and for other purposes.

Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,

SECTION 1. Short title.

This Act may be cited as the “Internet of Things Consumer Tips to Improve Personal Security Act of 2017”or the “IOT Consumer TIPS Act of 2017”.

SEC. 2. Findings.

Congress finds the following:

(1) The term “Internet of Things” refers to devices, applications, and physical objects that are Internet-enabled, networked, or connected.

(2) The devices that are part of the Internet of Things are equipped with sensors or developed with automated functionalities that allow them to collect, send, or receive data, and perform according to consumer preferences that enhance productivity, efficiency, and convenience.

(3) The rapid adoption of the Internet of Things among consumers and businesses is driven by the wide range of economic and societal benefits that are generated by such devices across almost every industry and sector.

(4) Consumer trust in the security of the Internet of Things is paramount to the leadership and competitiveness of the United States in the global digital economy.

(5) It is the policy of the United States to encourage innovation in the development and use of the Internet of Things and empower consumers to be responsible digital citizens and manage the security of their devices in collaboration with manufacturers, sellers, and service providers.

SEC. 3. Federal educational cybersecurity resources for consumers regarding devices that are part of the Internet of Things.

(a) Definitions.—In this section—

(1) COVERED DEVICE.—The term “covered device”—

(A) includes devices, applications, and physical objects that are—

(i) part of the Internet of Things; and

(ii) marketed and sold primarily to consumers; and

(B) does not include—

(i) devices that are marketed and sold for use primarily in industrial, business, or enterprise settings; or

(ii) smartphones, tablets, personal computers, or devices leased to consumers by multichannel video programming distributors.

(2) CYBERSECURITY THREAT.—The term “cybersecurity threat” has the meaning given to the term in section 102 of the Cybersecurity Information Sharing Act of 2015 (6 U.S.C. 1501).

(3) SECURITY VULNERABILITY.—The term “security vulnerability” has the meaning given to the term in section 102 of the Cybersecurity Information Sharing Act of 2015 (6 U.S.C. 1501).

(b) Development of educational cybersecurity resources.—Not later than 1 year after the date of enactment of this Act, the Federal Trade Commission shall, in coordination with the National Institute of Standards and Technology and relevant private sector stakeholders and experts, develop voluntary educational cybersecurity resources for consumers relating to the practices of consumers with respect to the protection and use of covered devices, including citing evidence of consumer attitudes and expectations.

(c) Elements.—The voluntary resources developed under subsection (b) shall be technology-neutral and include guidance, best practices, and advice for consumers to protect against, mitigate, and recover from cybersecurity threats or security vulnerabilities, where technically feasible, including—

(1) the scope of possible security support from a vendor post-purchase;

(2) how to initiate or set up a covered device for use;

(3) the use of passwords, available security tools and settings, appropriate physical controls, and avoidance of steps that can defeat security;

(4) updates to the software of a covered device during operation or use if applicable;

(5) the recovery of compromised devices;

(6) end-of-life considerations such as resetting, deleting, or modifying data collected or retained by a covered device when it is no longer in use or expected to be used by the consumer;

(7) security services, tools, or platforms for connected devices that may help consumers manage connected devices; and

(8) varying security considerations depending on factors, including the type of device and setting of use.

(d) Availability and publication.—The Federal Trade Commission shall ensure that the resources developed under subsection (b) are available to and readily accessible by the public on the Internet website of the Federal Trade Commission.

(e) Periodic updates.—The Federal Trade Commission shall review, and, as necessary update the resources developed under subsection (b), in collaboration with industry stakeholders, to address changes in cybersecurity threats or security vulnerabilities and other technology developments or challenges.

(f) Voluntary use.—The resources developed under subsection (b) shall be for voluntary use by consumers.

(g) Treatment.—No guidelines, best practices, or advice issued by the Federal Trade Commission with respect to the resources developed under subsection (b) shall confer any right on any person, State, or locality, nor shall operate to bind the Federal Trade Commission or any person to the approach recommended in such guidance, best practice, or advice. The Federal Trade Commission may not base an enforcement action on, or execute a consent order based on, any failure to promote or use such guidance, or any practice used for covered device functionality that is alleged to be inconsistent with any guidance, best practice, or advice included in the resources developed under subsection (b), unless the practice allegedly violates another provision of law. Nothing in this Act is intended to limit the ability of the Federal Trade Commission to enforce section 5 of the Federal Trade Commission Act (15 U.S.C. 45).


Share This