Fresh off the heels enacting the California Consumer Privacy Act, California Governor, Jerry Brown, signed the country’s first law governing the security of Internet of Things or connected devices. The bill, SB 327, is entitled “Security of Connected Devices.”
Beginning on January 1, 2020, all manufacturers of connected devices will be required to equip the device with reasonable security features to protect against the unauthorized access, destruction, use, modification or disclosure of information that is collected or transmitted by the device.
The “reasonable security features” of devices may vary, depending on the nature and function of the device, and the nature of the information collected, contained or transmitted. Nonetheless, all connected devices must be designed to protect the device and information from misuse.
While the law does not provide specifics on what security measures will be required, it does state that if a connected device is equipped with a means for authentication outside a local area network, it will have reasonable security features if it has a preprogrammed password that is unique to each device, or if it contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time.
The law does not include a private enforcement right. The California Attorney General, city attorneys, city council or district attorneys in California have the exclusive authority to enforce the law. In addition, the law does not apply to any devices subject to federal regulations or laws, or to entities or others subject to the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA).
While the law has come under considerable criticism due to its vagueness, many believe that the law is a step in the right direction toward promoting security in a blossoming industry that is ripe for hackers and security flaws.
Other Internet of Things legislation have been proposed, but none have been enacted at this time. Some include the IoT Cybersecurity Improvement Act, which sets contractual clauses and standards for IoT products purchased by the federal government, the SMART IoT Act, which directs the U.S. Department of Commerce to conduct a study on the state of the Internet-connected devices industry in the U.S., and the IoT Consumer TIPS Act of 2017, which would require the Federal Trade Commission to coordinate with the National Institute of Standards and Technology and relevant private sector stakeholders to develop voluntary educational cybersecurity resources for consumers relating to protection and use of the Internet of Things.