Photo of Erin M. Bosman

“My Google Home Mini was inadvertently spying on me 24/7 due to a hardware flaw,” wrote a tech blogger who purchased Google Inc.’s latest internet of things (IoT) device. Following the incident, a pact of consumer advocacy groups insisted the U.S. Consumer Product Safety Commission (CPSC) recall the Google smart speaker due to privacy concerns arising when the device recorded all audio without voice command prompts.

The CPSC is charged with protecting consumers from products that pose potential hazards. Traditionally, this has meant hazards that may cause physical injury or property damage. But as internet-connected household products continue to proliferate, issues like the “always-on” Google Home Mini raise an important question: Where does cybersecurity of consumer IoT devices fit within the current legal framework governing consumer products?

The Explosion of IoT

Forecasts predict that by 2020 IoT devices will account for 24 billion of the 34 billion devices connected to the internet. According to a recent Gemalto survey, “[a] hacker controlling IoT devices is the most common concern for consumers (65%), while six in ten (60%) worry about their data being stolen.”

The rapid growth of the IoT market and continued integration into daily life raises the question of which regulatory body or bodies, if any, should be responsible for consumer safety when it comes to cybersecurity for consumer IoT devices.

The Intersection of Consumer Product Safety, Privacy and Cybersecurity

The CPSC’s jurisdiction has traditionally been limited to physical injury and property damage. It is “charged with protecting the public from unreasonable risks of injury or death associated with the use of the thousands of types of consumer products under the agency’s jurisdiction.”
Continue Reading

Blue Touchscreen Smart phones with colorful medical application icons

Health care apps are one of the most important and growing segments in the ecosystem known as the Internet of Things (IoT). After the recent amendments to the Health Insurance Portability and Accountability Act (HIPAA) that—among other things—broadened the definition of a “Business Associate,” many technology companies found themselves wondering whether they were, or were

Last week the Food and Drug Administration (FDA) promulgated two much-anticipated draft guidance documents on using social media to present information about prescription drugs and medical devices. The draft guidance documents, which were originally promised by the FDA in 2010, represent the FDA’s latest attempt to provide direction for drug and device manufacturers concerning how and when they may use social media.

BACKGROUND

Drug and device labeling and promotion are highly regulated activities, subject to onerous approval requirements enforced by the FDA under the Federal Food, Drug, and Cosmetic Act (the “Act”). Under the Act, “labeling” includes “all labels and other written, printed, or graphic matter” that “accompany” a drug or device. 21 U.S.C. § 321(m); 21 C.F.R. § 1.3(a). This definition has been broadly interpreted by the courts to include materials that supplement or explain a drug or device, even when there is no physical attachment to the drug. See Kordel v. United States, 335 U.S. 345, 350 (1948).

Rapidly growing Internet-based technologies have made it quicker and easier for both manufacturers and independent third parties to disseminate information about drugs and devices. This has led to a host of issues including (1) what drug companies can say online about their drugs without violating the “misbranding” regulations; and (2) what drug companies can do with what third parties have said online about their drugs. The guidance documents attempt to answer both of these questions.

The Twitter Guidance: “Internet/Social Media Platforms with Character Space Limitations – Presenting Risk and Benefit Information for Prescription Drugs and Medical Devices”

The FDA’s position concerning manufacturers presenting “benefit information” for regulated drugs on electronic platforms with character space limitations is laid out in the Twitter Guidance. This Guidance instructs companies on the steps to take to avoid inadvertently “misbranding” a drug by providing information about a drug’s benefits without disclosing accompanying risks. With that in mind, the Twitter Guidance provides the following direction for drug companies seeking to use space-limited social media platforms:

  • Include the brand and established name, dosage form, and ingredient information;
  • Ensure that any benefit information provided is accurate;
  • Accompany benefit information with risk information;
  • Provide direct access to a more complete discussion of the risks associated with the drug or device. Notably, the Twitter Guidance says the link should lead to a page devoted “exclusively” to risk information; and
  • If both benefit and risk information cannot be communicated within the space limit, consider using a different platform.

To prove that it is not impossible to provide the required information within Twitter’s 140 character limit (just very difficult), the Twitter Guidance provides the following – entirely fictional – example of an acceptable tweet:

Notably, this example from the FDA might not prove helpful in reality, especially considering that many drugs would be required to list more than one risk.

The main take-away from the Twitter Guidance is nothing new: to avoid enforcement, provide “truthful, accurate, non-misleading, and balanced product promotion.” If a company cannot achieve this delicate balance within Twitter’s space limitations, it should “reconsider using that platform for the intended promotional message.”


Continue Reading