California Law IoT Devised to Have “Reasonable Security Feature”

On September 28, 2018, California passed Senate Bill No. 327, Chapter 886, which regulates the security of all internet of things (IoT) devices sold in California.  Collectively, IoT broadly refers to all internet-enabled devices and includes everything from doorbells and lamps to cell phones and wearable devices. This bill, beginning on January 1, 2020, will require a manufacturer of a connected device to equip the device with “a reasonable security feature or features” to “protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.” Additionally, this California law requires that any device capable of authentication outside a local area network either have a pre-programmed password that is unique to each device or require users to generate a new password before users are granted access to the device for the first time.

California’s passage of Senate Bill No. 327 indicates the government’s acknowledgement of the growing threat cyber-attacks pose to these popular technologies. Currently, there are approximately 7 billion internet-enabled devices in the world and this number is expected to reach 21.5 billion by 2025. This increase in widespread adoption of connected devices has amplified the growth of cyber-attacks. Specifically, many internet-enabled devices currently sold to consumers provide either no password protection or the same default login credentials across all devices, which make these devices exceptionally vulnerable to cyber-attacks. California’s Senate Bill No. 327 attempts to combat this with its revamped password requirements.

While California’s passage of Senate Bill No. 327 marks a positive step towards increased security for internet-enabled devices, deficient password requirements are only one of the many shortcomings that make internet-enabled devices vulnerable to cyber-attacks.