California Becomes First State to Pass IoT Security Law

California continues to pass tighter laws in the cybersecurity world.

California Governor Jerry Brown recently signed into law bill No. 327 which requires connected device manufacturers to include “reasonable” security features for those devices sold in California. With passage of this new law, California becomes the first state in the nation to adopt such legislation.

What the Law Requires

Beginning on January 1, 2020, the law will require a manufacturer of a connected device to equip the device with reasonable security features that are “appropriate to the nature and function of the device” and appropriate to the type of information collected by the device. It also mandates that any maker of an Internet-connected, or “smart” device ensures the device has “reasonable” security features that “protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.”

The security measures are designed to protect against potential data breaches. Some of the “reasonable” security measures include, where appropriate, having a unique, pre-programmed password or making consumers create a password before using the device the first time.

The law does not impose obligations on IoT manufacturers with regard to third-party software or applications that a user might choose to add to the device. The new law also does not include a private right of action.

Moving Forward

The passage of the California law illustrates again that the Golden State is moving faster than the rest of the country when it comes to cybersecurity. 

In late 2017, a bipartisan collection of U.S. Senators introduced legislation that would apply more rigorous standards to companies that supply connected devices to the federal government.

The federal bill, the Internet of Things Cybersecurity Improvement Act, includes a provision that would ban hard-coded passwords, as well as language that would require that connected devices be patchable and otherwise free of known security vulnerabilities. But after more than a year, the legislation has yet to gain traction in the Senate.

 

Print Friendly, PDF & Email