February 27, 2020

February 27, 2020

Subscribe to Latest Legal News and Analysis

February 26, 2020

Subscribe to Latest Legal News and Analysis

February 25, 2020

Subscribe to Latest Legal News and Analysis

The Internet of Things: Proposed Federal Legislation and Potential Federal vs. State Conflict?

Legislation aimed at improving the security of devices that are part of the Internet of Things was introduced in the U.S. Senate and House of Representatives this week. The Internet of Things (IoT) Cybersecurity Improvement Act of 2019 would establish standards for federal government agencies that purchase IoT devices for use by the federal government. The proposed law, spearheaded by Senators Mark Warner (D. VA), Cory Gardner (R. CO), Maggie Hassan (D. NH), and Steve Daines (R. MT), would call on the National Institute of Standards and Technology (NIST) to develop standards addressing, at a minimum, secure development, identity management, patching, and configuration of IoT devices. NIST also would provide guidance to the federal government on policies and procedures for the reporting, coordination, publishing, and receipt of information about IoT device security vulnerabilities, and the proper resolution of such vulnerabilities.

In a written statement, Senator Warner explained his intention that “This legislation will use the purchasing power of the federal government to establish some minimum security standards for IoT devices.” Similar federal legislation was introduced in 2017. The 2017 version, however, included specific requirements, e.g., for password management and software updates, which are not present in the 2019 legislation.

California is the first state to pass a cybersecurity law addressing “smart” devices and IoT technology, impacting virtually anything connected to the internet, including smart home devices (e.g., WeMo Smart Plugs, August's Smart Lock, NEST thermostats) and connected appliances. The new law would take effect January 1, 2020.

Security Obligations

California's new law specifies the security obligations of “manufacturers” of connected devices. A manufacturer includes the person who manufactures or contracts with another person to manufacture connected devices sold or offered for sale in California. The law will therefore apply to manufacturers outside of California if their products are sold in California.

Under the new law, a covered manufacturer of a connected device must equip the device with a “reasonable security feature” that is:

  • Appropriate to the device’s nature and function
  • Appropriate to the information the device may collect, contain, or transmit
  • Designed to protect the device and any of its information from unauthorized access, destruction, use, modification, or disclosure.

The phrase “security feature” includes any feature designed to provide security for the device. “Unauthorized access, destruction use, modification, or disclosure” means access, destruction, use, modification, or disclosure that is not authorized by the consumer. If a device is programmed to authenticate outside a local area network, the security feature is deemed to be reasonable if either of these apply:

  • The preprogrammed password is unique to each device
  • The security feature requires a user to generate a new means of authentication before access is granted to the device for the first time.

Cautionary Items

Although California's new law is sweeping in scope, there are some safeguards and exemptions. For example, there is no private right of action under the statutes, activities regulated by HIPAA are exempt, and manufacturers are not responsible for choices made by the owner/consumer or for the impact of non-affiliated software or apps. In light of the breadth of the law and the specific nature of the exemptions, products liability insurers of manufacturers whose connected devices are or will be sold in California may wish to require insureds to assess which products will be subject to the new law and ensure that “reasonable security features” are in place. Alternatively, development of expanded/reinforced exclusionary language may be advisable.

Query whether more states will follow suit? And query the impact of federal legislation on California’s law and on any other state IoT laws that might be enacted.

© 2020 Faegre Drinker Biddle & Reath LLP. All Rights Reserved.


About this Author

Dan Brown, insurance lawyer, Drinker Biddle

Dan Brown represents insurance companies, agents and brokers, and others in all aspects of the admitted, exempt, and surplus lines insurance markets in the United States. This includes advising alien or foreign insurers on how to comply with various state laws in placing business; advising insures on exempt and specialty lines such as marine, aviation, and transportation risks; advising producers on licensing, placement and premium tax issues; and advising insureds on coverage and placement issues. Dan advises participants in the London market on how to...

(415) 591-7585
Thomas M. Dawson, Insurance, Attorney, Drinker Biddle

Thomas M. Dawson* represents U.S. and non-U.S. insurers on regulatory, licensing and corporate matters. He is co-chair of the firm's Insurance Regulatory and Transactional Team within the Corporate and Securities Practice Group.

Tom advises industry participants on a wide variety of regulatory and transactional matters, including cybersecurity compliance, insurtech ventures and Holding Company Act filings. He has assisted clients form, acquire and invest in U.S. insurers, reinsurers and intermediaries. He counsels non-insurers on advertising, licensing and marketing generally, and provides regulatory compliance advice to service contract issuers and other specialty product providers.

Tom has guided non-U.S. re/insurers in the London market, Europe, Bermuda and in Asia for more than 25 years, helping them obtain and maintain surplus lines and reinsurer approvals as well as monitoring state and federal legislation.

*Tom’s practice is limited to advising clients on U.S. law, and he is not admitted to practice as a solicitor in England and Wales.


Ben V. Seessel represents life insurers, annuity issuers, and other financial services companies in class actions and other complex cases in federal and state courts across the country. He has litigated numerous cases involving life insurance products, including defending against allegations of statutory and regulatory infractions, ERISA violations, violations of consumer protection laws, fraud, negligent misrepresentation, breach of contract, breach of fiduciary duty, negligence, and unjust enrichment, among other claims.

Ben also represents life insurers in regulatory and...