October 26, 2020

Volume X, Number 300


October 23, 2020

Subscribe to Latest Legal News and Analysis

California Enacts First IoT Cybersecurity Law

Security-by-design will soon be mandated for all connected devices sold in California. As of January 1, 2020, manufacturers of IoT products will be required to equip those devices with reasonable security features to protect the device and any information collected through it from unauthorized access, destruction, use, modification, or disclosure. SB 327 was passed by the California legislature on August 29, 2018 and signed into law by Governor Jerry Brown on September 28, 2018.

Security measures must be appropriate to the nature and function of the device and the information they collect, contain, or transmit. "Reasonable security," while a somewhat general and vague term, has been referenced by the Federal Trade Commission (FTC), the National Institute of Standards and Technology (NIST), and others. It denotes a flexible, process-oriented standard that avoids specific "one-size-fits-all" criteria that could stifle innovation. For devices that are authenticated outside a local area network, the law requires that the device must either contain a unique preprogrammed password or require users to create a new password before first-time use to establish reasonable security. These requirements, while more specific as elements of a "reasonable security" approach, are more generally accepted from a password management standard, recognizing that consumers often choose simple, easy-to-guess passwords or adopt common passwords across sites and services that, if compromised, could put much more of their personal information at risk. 

SB 327 - formerly known as the "Teddy Bear and Toaster Act" - was substantially revised before becoming law. Manufacturers and retailers vigorously opposed the bill as originally introduced, considering it overly broad, burdensome, and impracticable.

These objections resulted in significant amendments, such as eliminating obligations on third parties and manufacturers to provide direct notification and patching to consumers in the event of a breach. The final version also narrowed the definition of "connected device" to require not only connection to the Internet, but also an assigned Internet Protocol address or Bluetooth address, which would exclude items such as ethernet or USB cables. Also dropped from the draft bill was a requirement that devices have a visible indicator that shows when the device is collecting data. In addition, SB 327 does not impose liability on manufacturers for the security of third-party software or applications. And, like the amendments to the recently passed California Consumer Protection Act (CCPA), SB 327 provides carveouts for healthcare providers and other entities subject to HIPPA, as well as for security requirements under federal law and regulations and guidance from federal agencies.

Unlike the CCPA, SB 327 does not create a private right of action; the state has the exclusive authority to enforce the provisions. However, if a connected product manufacturer fails to maintain reasonable security and a breach occurs, the manufacturer could be in violation of the CCPA and could face exposure to private litigation as a result.

Manufacturers selling connected products in California should carefully consider both functionality and security at the design stage of a connected device to ensure they don't wind up facing suits under both SB 327 and the CCPA.

© 2020 Keller and Heckman LLPNational Law Review, Volume VIII, Number 290



About this Author

Tracy Marshall, Keller Heckman, regulatory attorney, for-profit company lawyer

Tracy Marshall assists clients with a range of business and regulatory matters.

In the business and transactional area, Ms. Marshall advises for-profit and non-profit clients on corporate organization, operations, and governance matters, and assists clients with structuring and negotiating a variety of transactions, including purchase and sale, marketing, outsourcing, and e-commerce agreements.

In the privacy, data security, and advertising areas, she helps clients comply with privacy, data security, and consumer protection laws, including laws governing telemarketing and...

Sheila Millar, Keller Heckman, advertising lawyer, privacy attorney

Sheila A. Millar counsels corporate and association clients on advertising, privacy, product safety, and other public policy and regulatory compliance issues.

Ms. Millar advises clients on an array of advertising and marketing issues.  She represents clients in legislative, rulemaking and self-regulatory actions, advises on claims, and assists in developing and evaluating substantiation for claims. She also has extensive experience in privacy, data security and cybersecurity matters.  She helps clients develop website and app privacy policies, data security and access procedures, manage trans-border data flows, respond to data breaches and create training programs. She assists clients on digital media issues, helping them develop social media, blogging and user-generated content policies, and to understand advertising technology and online behavioral advertising issues.  Ms. Millar also works with clients to navigate the array of federal and state requirements governing contests and sweepstakes, and advises on gift cards, coupons and rebates.  She represents clients on advertising and privacy matters before the Federal Trade Commission (FTC), the Children’s Advertising Review Unit (CARU), the National Advertising Division (NAD), as well as in connection with investigations by state regulatory bodies and Attorneys General.