California Enacts First IoT Cybersecurity Law
Security-by-design will soon be mandated for all connected devices sold in California. As of January 1, 2020, manufacturers of IoT products will be required to equip those devices with reasonable security features to protect the device and any information collected through it from unauthorized access, destruction, use, modification, or disclosure. SB 327 was passed by the California legislature on August 29, 2018 and signed into law by Governor Jerry Brown on September 28, 2018.
Security measures must be appropriate to the nature and function of the device and the information they collect, contain, or transmit. "Reasonable security," while a somewhat general and vague term, has been referenced by the Federal Trade Commission (FTC), the National Institute of Standards and Technology (NIST), and others. It denotes a flexible, process-oriented standard that avoids specific "one-size-fits-all" criteria that could stifle innovation. For devices that are authenticated outside a local area network, the law requires that the device must either contain a unique preprogrammed password or require users to create a new password before first-time use to establish reasonable security. These requirements, while more specific as elements of a "reasonable security" approach, are more generally accepted from a password management standard, recognizing that consumers often choose simple, easy-to-guess passwords or adopt common passwords across sites and services that, if compromised, could put much more of their personal information at risk.
SB 327 - formerly known as the "Teddy Bear and Toaster Act" - was substantially revised before becoming law. Manufacturers and retailers vigorously opposed the bill as originally introduced, considering it overly broad, burdensome, and impracticable.
These objections resulted in significant amendments, such as eliminating obligations on third parties and manufacturers to provide direct notification and patching to consumers in the event of a breach. The final version also narrowed the definition of "connected device" to require not only connection to the Internet, but also an assigned Internet Protocol address or Bluetooth address, which would exclude items such as ethernet or USB cables. Also dropped from the draft bill was a requirement that devices have a visible indicator that shows when the device is collecting data. In addition, SB 327 does not impose liability on manufacturers for the security of third-party software or applications. And, like the amendments to the recently passed California Consumer Protection Act (CCPA), SB 327 provides carveouts for healthcare providers and other entities subject to HIPPA, as well as for security requirements under federal law and regulations and guidance from federal agencies.
Unlike the CCPA, SB 327 does not create a private right of action; the state has the exclusive authority to enforce the provisions. However, if a connected product manufacturer fails to maintain reasonable security and a breach occurs, the manufacturer could be in violation of the CCPA and could face exposure to private litigation as a result.
Manufacturers selling connected products in California should carefully consider both functionality and security at the design stage of a connected device to ensure they don't wind up facing suits under both SB 327 and the CCPA.