Header graphic for print

Focus on Regulation

Winnik Forum Panelists Explore Cybersecurity in the Connected World

Hogan Lovells’ Winnik International Telecoms & Internet Forum  explored how the Internet of Things (IoT) may continue to expand the scope of cybersecurity concerns.  Cybersecurity risks for the IoT were previously synonymous with enterprise products.  Now these risks extend to consumer devices, services and applications.

According to cybersecurity leaders attending the forum, the IoT market needs new, market-driven approaches to cybersecurity given the number of at-risk IoT products and services.  Travis LeBlanc, Chief of the Federal Communications Commission’s (FCC) Enforcement Bureau, said while the number of IoT devices has exploded, the existing 500 million IoT devices with outdated security features are “not going anywhere.”  According to LeBlanc, “government needs to incentivize the entire [IoT] community because individual networks may not be affected.” LeBlanc reviewed various government initiatives from the FCC, Federal Trade Commission, National Telecommunications and Information Administration, and the National Institute of Standards and Technology.  He said innovation is outpacing regulation.  According to LeBlanc, government should not over-regulate because doing so would restrain innovation.  He added that, while achieving perfectly secure devices and networks is impossible, industry and government can better manage risks through collaboration, consumer education, and multi-national efforts to confront global cybersecurity threats.

Other panelists identified the persistent tension between cybersecurity and usability as a continuing challenge for businesses selling or using IoT products and services.  Austin Carson, the Legislative Director to Representative Michael McCaul (R-TX), Chairman of the House Committee on Homeland Security, said that robust security protections can interfere with the convenience that consumers demand from IoT devices.  According to Carson, class action lawsuits have become a new source of business risk.  When a known vulnerability is exploited, plaintiffs’ attorneys have sought to recover damages for the diminution of value in a product as a result of a cybersecurity breach, including consequential damages to other property due to the cybersecurity breach, Carson said.  According to Carson, the financial risk from these types of class actions far exceeds any potential government fine.

Julie Kearney of the Consumer Technology Association said the consumer technology industry has sought to address cybersecurity risks without regulation.  According to Kearney, businesses face a challenge in educating consumers to secure their own networks and buy products from reputable brands.  The private sector also has to confront the proliferation of standards for networks and redouble efforts to incorporate security by design into every device without sacrificing functionality and ease of use.

Lisa Hayes with the Center for Democracy and Technology agreed.  According to Hayes, consumers love connected devices but worry that some connected devices, such as medical products, may no longer function if Internet connectivity is lost.  Hayes said that companies should begin encrypting everything and adopt new security standards for IoT devices as they become available.

In sum, panelists asserted the market can address new and evolving IoT cybersecurity risks better than government mandates so long as regulators and courts must allow companies room to maneuver.  Meanwhile, the rest of us – from device manufacturers to consumers – each have a role to play in protecting connected devices and minimizing the risks as much as possible.

The IoT in the Real World: An Armchair Discussion with Stacey Higginbotham

Connected devices are everywhere and create a wealth of data.  How do we understand and use this data?  And how do we protect it against disclosure and attack? 

With questions like these, Stacey Higginbotham, creator of the Internet of Things Podcast and the “Stacey Knows Things” newsletter, launched an “armchair discussion” about the Internet of Things (“IoT”) during Hogan Lovells’ recent Winnik International Telecoms & Internet Forum.  The discussion featured Dean Brenner, Senior Vice President, Government Affairs for Qualcomm Incorporated and Jonathan Adelstein, President and CEO of the Wireless Infrastructure Association.

Brenner acknowledged that the industry is enthusiastic about having 5G wireless communications technology eventually serving as the IoT’s backbone but noted that a future network cannot transport today’s data.  Existing smart devices have to rely on the cellular, Wi-Fi, low-power wide area and proprietary networks currently in place to enable their functions.  The alternatives are improving: in response to the increased demand for IoT connectivity, major U.S. wireless carriers are starting to deploy technologies to specifically support IoT devices, such as LTE CAT-M.  There is no “one and done” solution, however.  Adelstein noted that ensuring that there is enough capacity to support the growing IoT industry will continue to require significant network infrastructure investment—even beyond 5G.

The conversation then turned to data privacy and security issues.  Brenner said he remained concerned that one data breach could harm the entire IoT sector.  He highlighted the importance of a multi-stakeholder approach to securing data privacy in this context.  Higginbotham agreed with the benefits of multi-stakeholder solutions, but contested Brenner’s premise.  According to Higginbotham, sizeable data breaches in the IoT sector have already occurred and yet the IoT industry continues to thrive.  Adelstein also supported following a multi-stakeholder approach to enhance privacy and security, and added that while truly sensitive data must be carefully protected, deploying the networks that make the IoT possible requires significant investments in infrastructure.  Finding a privacy and security solution that allows networks to monetize data, Adelstein asserted, should also be a priority.

Higginbotham, Brenner and Adelstein also discussed the challenges of understanding the data generated by connected devices.  Saving money can be as profitable as making money.  But Higginbotham asked how anyone could measure the value of the IoT when so many IoT devices and applications seek to prevent negative outcomes and avoid costs?  Brenner and Adelstein agreed on the problem.  They said the industry needs to identify better value measurements to show companies, governments and consumers how the IoT benefits them financially.

CFIUS under the Trump Administration

The incoming Trump administration’s approach to foreign direct investment (“FDI”) in the United States and to national security reviews conducted by the Committee on Foreign Investment in the United States (“CFIUS”) is difficult to predict. Mr. Trump has criticized certain foreign investments in the United States, but his trade-related critiques have focused largely on U.S. free trade agreements and the loss of U.S. manufacturing jobs to foreign countries. Nonetheless, according to CNN, a Trump transition team draft memorandum outlining Mr. Trump’s trade policy for the first 200 days of his presidency indicates that Mr. Trump would mandate that CFIUS reviews be expanded to consider food security and reciprocity in the treatment of U.S. investments abroad. Continue Reading

FTC Issues Sharing Economy Report

FTC-LogoIn June 2015, the Federal Trade Commission (FTC) held a workshop on The “Sharing” Economy: Issues Facing Platforms, Participants, and Regulators. The Commission also solicited public comments on the topic, receiving more than 2,000 comments in response. On 17 November, the Commission issued a report summarizing the issues explored in the workshop and the public comments. The report emphasized that the workshop (and its ensuing summary) was not intended “as a precursor to law enforcement” but “an opportunity to learn more” about this rapidly evolving business model and to aid “the Commission, as well as regulators, consumer groups, platforms, participants using the platforms, incumbent firms, and others” to address the unique issues raised by sharing economy platforms.

Continue Reading

EMA revises Guideline on First-in-Human Trials

On 15 November 2016, the European Medicines Agency (“EMA”) opened for public consultation its updated Guideline on strategies to identify and mitigate risks related to first-in-human and early clinical trials with investigational medicinal products. The EMA has revised the Guideline, in cooperation with the European Commission and the EU Member States, to further improve the safety of trial participants. The consultation deadline for the draft Guideline is 28 February 2017.

Background

The Guideline initially adopted in 2007 provides advice concerning the safe conduct of first-in-human clinical trials. The Guideline includes advice on the data needed to enable the appropriate design of the clinical trials and to allow the initiation of treatment in trial participants.

The revised Guideline is based on a concept paper that EMA released for public consultation between July and end of September 2016. The concept paper outlined the major areas in the Guideline that required revision to reflect the evolution of practices in the last ten years.

With the revision of the Guideline, EMA aims to further improve the safety of clinical trial participants in the context of increasingly complex trial protocols. The revision is also intended to further assist sponsors in the transition from non-clinical to early clinical development. The revised Guideline identifies factors influencing risk for new investigational medicinal products.

New scope of the Guideline

Under the initial Guideline, first-in-humans clinical trials were associated with a single ascending dose design subsequently followed by a multiple ascending dose clinical trial.

In recent years, the practice for conducting first-in-human clinical trials for new investigational medicinal products has evolved towards a more integrated approach, with sponsors conducting several steps of clinical development within a single clinical trial protocol. This evolution has enabled clinical trial sponsors to assess single and multiple ascending doses, food interactions, or different age groups within integrated protocols.

The revised Guideline identifies strategies for mitigating and managing risks arising from these increasingly complex trial protocols. It lays down principles for the calculation of the starting dose to be used in humans, the subsequent dose escalation, the criteria for maximum dose and principles relating to the conduct of the clinical studies with multiple parts.

The document provides guidance concerning clinical and non-clinical aspects. The section of the Guideline concerning clinical aspects includes guidance concerning the criteria on the basis of which a study should be stopped and the requirement for a rolling review of emerging data with a focus on safety information for trial participants. The document also discusses the handling of adverse events, including the rules guiding progress to the next dosing level.

The section of the Guideline relating to non-clinical aspects includes the better integration of pharmacokinetic and pharmacodynamic data and toxicological testing into the overall risk assessment. The role of non-clinical data in the definition of the estimated therapeutic dose, maximal dose, and dose steps and intervals is also considered.

EMA aims to publish a final revised Guideline for the conduct of first-in-human clinical trials in the first half of 2017.

For further information visit: http://www.ema.europa.eu/docs/en_GB/document_library/Scientific_guideline/2016/11/WC500216158.pdf

DOE and NRC Sign MOU to Benefit Advanced Reactors

As part of the DOE’s Gateway for Accelerated Innovation in Nuclear (“GAIN”) initiative, this month the DOE and NRC published a Memorandum of Understanding (MOU) that sets forth a process by which the two agencies will work together to help non-light water (“advanced”) nuclear reactors work through the nuclear licensing process.

The MOU establishes contacts at each agency and a process by which the NRC will keep the DOE closely informed about its licensing process for advanced reactors, as well as any changes that occur.  But perhaps most of interest, the MOU establishes a framework by which the DOE can answer basic regulatory questions that future advanced reactor applicants may have, concerning the “NRC’s regulatory requirements and activities.”  Moreover, if DOE cannot answer the question, in certain cases it can e-mail the NRC and expect an answer back within two weeks.  Questions that are asked and answered will be compiled on a DOE-hosted “FAQ” website.

It remains to be seen exactly how this program will shape out, and whether the DOE will be able to provide substantive assistance to advanced reactor licensees.  But it represents an exciting development for today’s nuclear entrepreneurs, which are seeking a means by which to understand the complex regulatory landscape before then.  It also continues a trend at DOE and in the federal government generally to engage in non-financial assistance—instead of simply giving cash awards to entrepreneurs, the government can leverage its resources, expertise, and connections to provide unique opportunities to entrepreneurs that money normally could not buy.

For more questions about advanced nuclear reactors, the GAIN initiative, or how the federal government can assist the development of nuclear power, please contact the authors.

Brill Discusses Benefits and Challenges of IoT at Winnik Forum

Julie Brill, Hogan Lovells Partner and former Commissioner of the U.S. Federal Trade Commission (FTC), delivered opening afternoon remarks at the Fifth Annual Winnik International Telecoms and Internet Forum: The Internet of Things: Legal Challenges and Opportunities.  Brill highlighted the “unquestionable” benefits of the Internet of Things (IoT) while also stressing the considerable data security and privacy concerns that come along with the emerging IoT ecosystem.

Brill noted that one of the biggest challenges surrounding IoT is security.  Device security is a paramount concern because connected devices are linked to the physical world.  Security vulnerabilities may not become apparent until a device is connected to an environment for which it wasn’t designed, or until consumers use a device or service in an unexpected way.  Brill stated that it is important that companies monitor vulnerabilities in devices and applications especially considering how quickly vulnerabilities in one device can spread to other devices.

Brill also analyzed the FTC’s recent enforcement action against ASUSTeK Computer, Inc.  In its complaint against the Taiwanese router manufacturer, the FTC alleged that ASUS failed to take reasonable steps to secure the software on its routers, despite making promises to consumers about the routers’ security.  As part of a consent decree ASUS entered with the FTC, ASUS agreed to implement a comprehensive security program.  According to Brill, the ASUS case shows that the FTC staff wants companies to adopt standardized security practices.

IoT device manufacturers and service providers, as well as the businesses that use IoT devices, face unique challenges in providing end users with adequate transparency into how IoT devices collect and use data.  Brill questioned how devices without a user interface could provide consumers with information on how data is collected and used.  Brill also questioned when companies and even homeowners must provide notice to their customers and guests as IoT becomes more prevalent within homes and businesses.  Brill emphasized that consumer trust will prove essential to IoT development and recommended that companies consider transparency and control mechanisms to avoid legal exposure as developers plan for the future of IoT.

Hogan Lovells Attorneys Present on Iran Nuclear Deal at International Nuclear Law Conference in India

This month Hogan Lovells partners Amy Roma and Ajay Kuntamukkala presented at the International Nuclear Law Association’s (INLA’s) Annual Congress in New Delhi, India.  They presented on the Iranian Nuclear Deal and implications for U.S. businesses.

India was chosen to host this year’s INLA Congress in part because of the great strides the country has taken in growing its civilian nuclear power industry while at the same time trying to build ties with the international nuclear power community.  India took significant steps this year towards fostering foreign participation in the Indian nuclear power program.

In February, India signed the Convention on Supplementary Compensation (CSC), a critical international nuclear liability agreement that both ensures compensation to individuals in the case of a nuclear incident, while also setting clear rules and norms to ease innovation. The CSC took effect for India on May 4, 2016.  Later, in June 2016, the India Nuclear Insurance Pool (INIP) issued its first insurance policy for nuclear power plant operators, and launched a supplier policy a few months later.  The INIP provides coverage for operators and suppliers arising from third-party liability, and was established in response to India’s 2010 nuclear liability law, which requires nuclear plant operators to maintain financial protection for third party nuclear liability.  The nuclear liability law has also created some controversy within the nuclear industry as to whether it aligns with international standards.  On November 11, Japan and India signed a civil nuclear cooperation agreement to allow Japanese companies to export Japanese nuclear technology and material to India.

India has the potential to be a leader in the civilian nuclear industry, and the recent developments are steps towards actualizing that potential.  For more about nuclear power in India, or the global nuclear energy industry in general, please contact the authors.

ANSM on the de-notification or termination of notified bodies’ activities

On 14 November 2016, the French National Agency for Medicines and Health Products Safety (“ANSM”) issued the English version of an information bulletin and a Q&A document concerning the consequences of de-notification or termination of notified bodies’ (“NB”) activities, dated 24 October 2016.

Background

The ANSM notes that in recent months, several notified bodies have ceased their operations, either voluntarily or following a de-notification decision made by their European Union (“EU”) Member State’s competent authority. The de-notification of a notified body occurs either, when a competent authority suspends or withdraws the notified body’s authorization or, when the notified body decides not to renew its authorization.

Medical devices may only be placed on the market in the EU with a valid CE Certificate of Conformity and under regular monitoring by notified bodies. Related activities are the result of contractual relations between notified bodies and medical device manufacturers that are governed by private law.

As a result, neither EU nor French regulatory provisions specifically address the actions that must be taken with regards to CE Certificates of Conformity in the event that a designated notified body is de-notified or stops operating in this role.

The issue of the de-notification of notified bodies was raised at a meeting of the competent authorities of the EU Member States on 19 October 2016. At this meeting, competent authorities agreed on guidelines for managing such situations.

In the information bulletin the ANSM announced that, in line with these guidelines, it had established procedures for medical device manufacturers affected by the de-notification of a notified body and established in France.

The ANSM Procedures

The ANSM procedure provides that, under certain conditions, affected manufacturers may continue to market their medical devices in the European Union. The aim is to allow manufacturers some time to request and obtain new CE Certificates of Conformity from other valid notified bodies.

Manufacturers may apply to the ANSM for an extension of the marketing of their medical devices (“MD”) and in-vitro medical devices (“IVD”) on two conditions. Applicants must hold CE Certificates of Conformity the validity of which has not expired at the time of the application. The period of validity must in addition go beyond the date of the de-notification or end of operations of the notified body.

If the manufacturer’s CE Certificate of Conformity expires at a date prior to the de-notification or end of operations of the notified body, the manufacturer will not be allowed to benefit from this procedure.

The procedure provides that manufacturers must introduce an application as soon as possible and preferably within one month of the de-notification or end of operations of the notified body.

Manufacturers must submit several documents to demonstrate the continued safety of the concerned products:

  • A list of the references for all MD/IVDs affected by the de-notification decision or the end of operations. The list should also specify the sales volume and the EU Member States in which they are being marketed and/or distributed;
  • A copy of the most current version of the CE Certificates of Conformity identifying the MD/IVDs covered by these Certificates;
  • A statement issued by the manufacturer certifying that its products continue to comply with fundamental requirements;
  • Identification of the new notified body, evidence that the certification process has been initiated, and the anticipated date that it will be finalized.

During the evaluation of the application by the ANSM, manufacturers will be able to temporarily continue to market their MD/IVDs. The application will be approved only if the ANSM finds that, on the basis of the submitted documents, the products may continue to be placed on the market without risks concerning the safety of their use.

The extension is granted for a period of maximum 12 months following the notified body’s de-notification or effective end of activities. In the event that the CE Certificates of Conformity expire prior to the end of the 12 months period, the extension for marketing the products shall be allowed only for the remaining period of the Certificates’ validity.

Manufacturers must send the ANSM the audit report and the new CE Certificate of Conformity for the concerned MD/IVDs as soon as they are issued by the new notified body.

The ANSM will evaluate applications on a case-by-case basis for those CE Certificates of Conformity that relate to a medical device or in-vitro medical device that is essential or that has no existing alternative. The manufacturer is responsible for providing evidence of the essential nature of its MD/IVD.

For further information visit: http://ansm.sante.fr/var/ansm_site/storage/original/application/7fad82da57fe0f9df182fc5955b73d60.pdf and http://ansm.sante.fr/var/ansm_site/storage/original/application/206542f785ffaa12a6c1545b915fea3f.pdf

Ambassador Sepulveda Urges Technology Industry to Ensure the Security and Interoperability of the Internet of Things

The Internet of Things is “clearly a significant market,” according to Daniel Alejandro Sepulveda, Ambassador, Deputy Assistant Secretary and U.S. Coordinator for International Communications and Information Policy for the Bureau of Economic and Business Affairs in the Department of State.  In Sepulveda’s keynote remarks at the Hogan Lovells Fifth Annual Winnik International Telecoms & Internet Forum, he addressed the State Department perspective on the Internet of Things, and the issues and challenges raised by the new technologies and use cases.

Sepulveda said the Internet of Things market is expected to grow to 24 billion connected devices by 2019, and explode to a four- to seven-trillion-dollar industry by 2025.  He outlined three key issues facing the industry as it develops: First, Internet of Things stakeholders must determine how best to use the extensive data generated by connected devices. Second, the industry must determine how to ensure interoperability across devices.  And third, the providers must determine how to protect the security and privacy of the users of connected devices.

According to Sepulveda, first responders and government could use the data generated by connected devices to the benefit of citizens.  For example, cities could pair data from air quality sensors with data from wearable and personal devices about citizen health to notify citizens with asthma or other vulnerabilities about air quality issues in real time.  First responders could also use flood maps paired with information about vulnerable populations to best target their resources and plan operations during natural disasters.

But ensuring the privacy of this sensitive data should also be a priority for the industry, Sepulveda said.  The “U.S. believes strongly and has a deep commitment in both law and practice to the idea that people should not be subject to arbitrary or unlawful interference with their privacy, consistent with our obligations under international human rights law,” he added.  The challenge will be balancing these obligations with ensuring the flow of data across devices.

Interoperability across devices will also be an important component of the successful development of the Internet of Things, according to Sepulveda.  He noted that government activities, such as proposals for regulations that mandate technologies or impose design or other restrictions, can generate friction on this front.  “But though government can regulate,” he said, “our office has often urged restraint in this space.”  He noted that his office urges other governments to take care with any regulation of the Internet to ensure the promotion of the public interest.  His office also works to make sure stakeholders in the Internet of Things have “meaningful” opportunities to engage with policymakers.

Sepulveda asked that the industry also remember that connected devices are part of a worldwide network.  He reminded the industry to be aware of the potential dangers of these new technologies.  He mentioned the recent distributed denial-of-service attack, which used connected devices to disrupt U.S. servers for websites including Spotify and The New York Times.

“It is important to remember that when talking about the Internet of Things and security, we are not just talking about the security of a handful of devices, but the entire Internet,” Sepulveda said.

Moving forward, he noted, the two main issues the State Department is working on that affect the Internet of Things are: 1) the development of Internet infrastructure both here in the U.S. and abroad, and 2) the privacy shield that the Department of Justice, Department of State, and others are working on to safeguard the transfer of data between the European Union and the U.S.

Sepulveda encouraged stakeholders to engage with his office on these issues, including at events they host throughout the year and at major world conferences, including the Consumer Electronics Show, the Mobile World Congress and the G7 and G20 meetings.