What is California’s IoT Law?
It’s 2019, and we are connected to everything, creating massive amounts of data which has been rather enticing to cyber criminals.
California’s IoT Law is a first for the nation, but likely not the last of its kind. It’s incredibly important coming from California too, with most major companies headquartered in the Silicon Valley.
The State of California has taken a leadership role toward cybersecurity and protecting its residents’ personal information in particular. Specifically, on September 28, 2018, California Governor Jerry Brown signed into law Senate Bill No. 327 and its cohort, Assembly Bill No. 1906, which requires that beginning on January 1, 2020, all manufacturers of a “connected device” must equip that device with a “reasonable security feature or features that are appropriate to the nature and function of the device, appropriate to the information it may collect, contain, or transmit, and designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure, as specified.”
A “connected device” is defined as “any device, or other physical object that is capable of connecting to the internet, directly or indirectly, and that is assigned an Internet Protocol address of Bluetooth address.” That means anyone making Internet-connected devices and selling or offering them for sale in California is covered under this law.
The law did specify, though, that devices that use default passwords will need to require new and unique passwords and will need to prompt users to develop new passwords during the initial setup of the device.
That’s all the bill includes. It’s a short and concise law that has a lot of room for interpretation.
Quick FAQ’s regarding California’s IoT Law:
Who is covered?
Any “manufacturers” of connected devices that sell their products in California will be required to incorporate reasonable security features into their devices. It does not matter where the product is made. It is also important to note that “manufacturers” include not only those companies that perform the manufacturing themselves, but also companies that “contract with” others to manufacture devices on their behalf. The law does contain several exclusions, including security vulnerabilities caused by user installation of third-party software and devices already regulated by certain healthcare statutes. However, since the interconnectivity of third-party software may be the source of a security breach, the question arises whether to consider how a covered device interacts with such third-party software.
How far does the law reach?
A “connected device” is defined quite broadly. Under the definition, a connected device is any device or “other physical object” that is capable of connecting to the internet (even by being paired with another device) and assigned an IP or Bluetooth address.
This definition potentially captures a whole range of equipment, including:
- Copy machines
- Fax machines
- VoIP-enables phones
- Bluetooth headsets
- Cash registers (point-of-sale terminals generally)
- Handheld barcode readers
- Smart thermostats
- Keycard readers (for doors)
- security cameras
- Light bulbs
- Environmental control panels
- Lap equipment
- Medical diagnostic equipment
- Warehouse inventory scanners
- Personal fitness monitors
- Wristwatches (iWatch)
- Connected vehicles
What are “reasonable security features”?
The law requires that the connected device be equipped with “reasonable security features” appropriate to the nature and function of the device and the information it may collect or transmit, and designed to protect the device and any information within from unauthorized access, destruction, use, modification or disclosure. Recognizing the indefinite standards within the statute, the law offers some flexibility to avoid some ambiguity. If the device is subject to authentication outside a local area network, then the law clarifies that “reasonable security” means the device should contain a unique preprogrammed password or require a user to generate a new means of authentication prior to initial access being granted. This specificity goes beyond the guidance provided in prior FTC enforcement actions, which have recognized vulnerabilities posed by default settings without deeming reasonable any specific approach to initial password management.
But note that this guidance relates to only the authentication aspect of the device. The rest of the requirements in the law still mandate undefined reasonable security features beyond just authentication.
Who can enforce the law?
Private parties do not have the authority to sue under the California law; rather, the law delegates enforcement exclusively to the California Attorney General, city attorneys, county counsels and district attorneys. The law also does not specify what types of penalties officials can seek for violations, what the maximum penalties are or whether officials must prove that actual harm to consumers has occurred before seeking penalties.
Will California’s IoT Law Make Consumers Safer?
My opinion, it’s a good start, but it’s not enough.
What is “reasonable security”?
For me, this is too broad of a statement, and manufacturers can interpret that phrase in any way they want. Security won’t be consistent across devices. How is that a solution? It isn’t. An insecure device won’t become secure just because of an added feature that may or may not work. By removing what makes the device insecure in the first place, we have a greater chance of protecting its user.
Security experts in the field have concluded that the law wouldn’t do anything to fix the real problems facing IoT. When it comes to these devices, we should be focused on removing the insecure features instead of masking them with security features.