October 19, 2019

October 18, 2019

Subscribe to Latest Legal News and Analysis

October 17, 2019

Subscribe to Latest Legal News and Analysis

October 16, 2019

Subscribe to Latest Legal News and Analysis

First of its Kind: California to Require IoT Device Security Measures

The new California Consumer Privacy Act is not the only California privacy law that companies will have to prepare for in 2019. Beginning on January 1, 2020, California will also require a manufacturer of a “connected device” (i.e., an IoT device) to equip that device with reasonable security features.

Until now, states had not specifically regulated Internet of Things (“IoT”) manufacturers and their data security practices related to the device. Instead, California (among other states) generally requires businesses to dispose of records containing personal information when records are no longer needed and to implement and maintain reasonable security procedures to protect such records from unauthorized access and use.

Under this new law, manufacturers will need to design appropriate security features to help protect the device and information from unauthorized access, destruction, modification, disclosure and use. The California law is a de facto national standard for IoT manufacturers that offer their IoT devices for sale in California.

What is a “connected device”?

The law specifically regulates “connected devices” which means “any device or other physical object that is capable of connecting to the internet, directly or indirectly, and that is assigned an Internet Protocol address or Bluetooth address.”

Who is a “manufacturer”?

A manufacturer is an entity that manufacturers (or contracts with an entity to manufacture on its behalf) connected devices sold or offered for sale in California. It does not include contracts with third parties only to purchase a connected device or to only purchase and brand a connected device.

What are “reasonable security features?”

Manufacturers of connected devices must equip the device with reasonable security features that are all of the following:

  • Appropriate to the nature and function of the device;

  • Appropriate to the information it may collect, contain or transmit; and

  • Designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification or disclosure.

The law does not mandate specific requirements of what a “reasonable security feature” must look like; however, the following two options are explicitly deemed “reasonable security features”:

  • Preprogrammed passwords that are unique to each device manufactured or

  • Devices containing security features that require the user to generate a new means of authentication before access is granted to the device for the first time.

Copyright © 2019 Womble Bond Dickinson (US) LLP All Rights Reserved.


About this Author

Theodore Claypoole, Intellectual Property Attorney, Womble Carlyle, private sector lawyer, data breach legal counsel, software development law
Senior Partner

As a Partner of the Firm’s Intellectual Property Practice Group, Ted leads the firm’s IP Transaction Team, as well as data breach incident response teams in the public and private sectors. Ted addressed information security risk management, and cross-border data transfer issue, including those involving the European Union and the Data Protection Safe Harbor. He also negotiates and prepares business process outsourcing, distribution, branding, software development, hosted application and electronic commerce agreements for all types of companies.