“Hey Alexa – Tell Me About Your Security Measures”
California continues to lead the nation in cybersecurity and privacy legislation on the heels of the recent California Consumer Privacy Act of 2018 (“CCPA”). Governor Brown recently signed into law two nearly identical bills, Assembly Bill No. 1906 and Senate Bill No. 327 (the “Legislation”) each of which required the signing of the other to become law, on September 28th, 2018. Thus, California becomes the first country in the nation to regulate “connected devices” – the Internet of Things (IoT). The Legislation will go into effect January 2020.
CA IoT Bills Apply to Manufacturers of Connected Devices
This Legislation applies to manufacturers of connected devices sold or offered for sale in California. A connected device is defined as any device with an Internet Protocol (IP) or Bluetooth address, and capable of connecting directly or indirectly to the Internet. Beyond examples such as cell phones and laptops, numerous household devices, from appliances such as refrigerators and washing machines, televisions, and children’s toys, could all meet the definition of connected device.
What Must Manufacturers of Connected Devices Must Do
Manufacturers equip the connected device with reasonable security feature(s) that are “appropriate to the nature and function of the device, appropriate to the information it may collect, contain, or transmit, [and] designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.”
The Legislation provide some guidance as to what will be considered a reasonable security measure. Devices that provide authentication with either a programmed password unique to the manufactured device, or provide a security feature that forces the user to generate a new means of authentication before access is granted will be deemed to have implemented a reasonable security feature. The use of a generic, default password will not suffice.
Other than following this guidance, the Legislation does not provide specific methods of providing for reasonable security features.
What Is Not Covered
a. Unaffiliated Third Party Software: Many connected devices use multiple pieces of software to function. The Legislation specifically states that “This title shall not be construed to impose any duty upon the manufacturer of a connected device related to unaffiliated third-party software or applications that a user chooses to add to a connected device.”
b. Companies That Provide Mechanisms To Sell Or Distribute Software: Application store owners, and others that provide a means of purchasing or downloading software or applications are not required to enforce compliance.
c. Devices or Functionality Already Regulated by Federal Authority: Connected Devices whose functionality is already covered by federal law, regulations or guidance of a federal agency need not comply.
d. Manufacturers Are Not Required To Lock Down Devices: Manufacturers are not required to prevent users from gaining full control of the device, including being able to load their own software at their own discretion.
No Private Right of Action
No private right of action is provided, instead the “Attorney General, a city attorney, a county counsel, or a district attorney shall have the exclusive authority to enforce this title.”
Not Limited To Personal Information
Previously, other California legislation had required data security measures be implemented. For example, California’s overarching data security law (Cal. Civ. Code § 1798.71.5), requires reasonable data security measures to protect certain types of personal information. This current approach is not tied to personal information, but rather applies to any connected device that meets the definition provided.
Likely Consequences After The Legislation Comes Into Effect in January 2020
a. Impact Will Be National: Most all manufacturers will want to sell their devices in California As such they will need to comply with this California Legislation, as unless they somehow segment which devices are offered for sale in the California market, they will have to effectively comply nationally.
b. While Physical Device Manufacturers Bear Initial Burden, Software Companies Will Be Affected: The Legislation applies to “any device, or other physical object that is capable of connecting to the Internet, directly or indirectly, and that is assigned an Internet Protocol address or Bluetooth address.” While this puts the burden foremost on physical device manufacturers, software companies that provide software to device manufacturers for inclusion on the device before the device is offered for sale will need to support compliance with the Legislation.
c. Merger And Acquisition Events Will Serve As Private Enforcement Mechanisms: While there may not be a private right of action provided, whenever entities or portions of entities that are subject to the Legislation are bought and sold, the buyer will want to ensure compliance by the seller with the Legislation or otherwise ensure that the seller bears the risk or has compensated the buyer. Effectively, this will mean that companies that want to be acquired will need to come into compliance or face a reduced sales price or a similar mechanism of risk shifting.