How a Consumer Group’s Cybersecurity Initiative Could Shape the Market

For the last several years, federal government policy makers have feverishly pushed legislation and regulation intended to address ever-morphing and increasingly dire threats to privacy and cybersecurity. But these efforts have throttled back fast with the de-regulatory Trump administration and the recent repeal of Federal Communications Commission privacy rules. As regulatory activism appears to have waned, some may be breathing a sigh of relief.

Not so fast.

Where the federal government is stepping back, others are stepping in. Take the recent initiative launched by Consumers Union, and its affiliate Consumer Reports. Most people know Consumer Reports as the trusted resource for reviews of cars, refrigerators, cell phones, strollers – and even insurance companies. It rates these products on distinct attributes such as safety, reliability and efficiency. But CR is now adding new factors to inform your purchase: consumer privacy and data security.

In March, CR announced “the first phase of a collaborative effort to create a new standard that safeguards consumers’ security and privacy,” stating its “hope [that] industry will use that standard when building and designing products such as connected devices, software, and mobile apps.” According to CR, the goal of the initiative, dubbed “The Digital Standard,” is to help consumers “understand which digital products do the most to protect their privacy and security, and give them the most control over their personal data.” CR will eventually use the standard in its product testing, which the publication says “will help consumers make more informed purchasing decisions.”

Those who don’t think this is a significant development may not be familiar with CR’s history. Since its founding some 80 years ago, CR has repeatedly exercised an outsized influence on the market for products it rates. Companies have soared on the basis of CR’s rave reviews, and failed, or had to substantially modify their products, in the face of bad ratings in areas such as automotive safety, food and baby equipment, among others. As CR puts it, “[w]hen consumers vote with their wallets and their clicks, we’ve seen that companies pay attention.” In fact, on many occasions ratings or reviews by CR have led directly to new government regulation.

And with more than a $25 million annual testing budget, more than 50 testing labs, and adherents far greater than even its 8 million print and online subscribers would suggest, CR has the ability to serve as a quasi-regulatory body to shape consumer protection in the ever-changing digital and consumer-product landscape.

CR does not shy from tech either. For example, in 2016, electric automotive manufacturer Tesla updated its self-parking software based on testing by CR, which revealed the Tesla system sometimes failed to notice and avoid items on the ground. CR also recently exposed serious vulnerabilities in the pregnancy and fertility app, Glow, including security flaws that could allow access to a woman’s personal health information. After CR shared its concerns with the app’s developer, the company quickly fixed the issue and released an updated version of the app.

CR’s new privacy and cyber security initiative will rate digital devices and services on the basis of four principles:

  • Products should be built to be secure: Consumers deserve “products that are built with security as a priority.”
  • Products should protect customers’ privacy: Consumers should “know what data of theirs is being collected, and have a reasonable amount of control over it.”
  • Products should protect the idea of ownership: When consumers buy products they should be able to “alter, fix, or resell them.”
  • Companies should act ethically: Companies should be held “accountable for how they interact with the broader world.”

These four categories will ostensibly cover several areas relevant to the “Internet of Things” such as data encryption, data control and retention practices, third-party tracking and sharing, and transparency about terms of service and privacy policy.

To develop the standard, CR is working with three other organizations – privacy software company Disconnect, a nonprofit research project Ranking Digital Rights, and a nonprofit software testing firm Cyber Independent Testing Lab. CR says it plans to use the standard to develop “specific and repeatable testing procedures,” possibly including “penetration testing” or “white-hat hacking,” depending on the type and number of products. Although CR has not announced which products it will test first, digitally connected devices such as smart TVs, baby monitors and Wi-Fi routers, as well as apps and web browsers, are all likely fair game.

This all comes amid news of several data breaches and vulnerabilities in internet-connected devices, including May’s WannaCry ransomware attack on 150 countries and Chrysler’s 2015 recall of 1.4 million vehicles that could be remotely hacked.  Unsurprisingly, according to an April survey by CR, some 70 percent of Americans say they lack confidence that their personal information is private and secure.

So what can a company do about CR’s initiative? Fortunately, there are options beyond just sitting and waiting for the ratings to show up.

First, weigh in. CR has asked for input into its standards. It has posted the standard as a public document online, inviting public comment and collaboration specifically from technology companies, industry groups, nonprofit organizations and individual consumers. This is an opportunity for product manufacturers and service providers to actually shape the standards by which their products will soon be evaluated, and which will influence consumer choices.

Second, watch and plan new products. As these standards develop, companies have an opportunity to get a running start on meeting or exceeding the standards. Just as companies compete to best one another on safety, price or convenience, they will soon have the opportunity to do so in a quantifiable way on cybersecurity and privacy. Smart entrepreneurs will look to take advantage of that opportunity to get a leg up on the competition.

Third, prepare for secondary effects. Depending on their level of clarity, new definitions for acceptable privacy and cybersecurity standards and practices could be cited in class actions and other litigation as well as in enforcement actions by state and federal agencies to support allegations that businesses’ approaches to privacy and cybersecurity are deficient. Companies will want to be prepared for such challenges.

Smart entrepreneurs (and lawyers) keep an eye on the market, as well as those who influence it. Anyone in the technology industry should keep an eye on, and perhaps engage with, newly developing cybersecurity and privacy standards, especially CR’s new Digital Standard project.


Dave Thomas is a partner in Sheppard, Mullin, Richter & Hampton LLP’s Washington office, with a national practice in the telecommunications industry, and in cyber and data security. Jonathan Meyer is a partner in the firm’s Washington office and former deputy general counsel at the U.S. Department of Homeland Security. Abraham Shanedling is an associate in the firm’s Washington office.

Morning Consult welcomes op-ed submissions on policy, politics and business strategy in our coverage areas. Updated submission guidelines can be found here.

Morning Consult