California Passes First Internet of Things Security Law in the U.S.
By Devika Kornbacher and Sean Belding*
On September 28, 2018, California Governor Jerry Brown signed into law a bill titled “Security of Connected Devices” (CaSCD) to regulate security of Internet of Things (IoT) devices. Similar to the California Consumer Privacy Act of 2018 (CaCPA), this law is the first of its kind in the United States and will become effective on January 1, 2020. It requires a manufacturer that sells or markets a connected device to California residents to equip that device with “reasonable security features,” appropriate to the nature and function of the device, to protect the information it may collect, contain, or transmit. Citing recent incidents of security vulnerabilities in kids’ toys, the California Senate urged that the boom of IoT demands increased security measures to “prevent against attacks on personal privacy by way of internet-connected devices which include everything from cars, to street lights, parking meters, microwave ovens, door locks, power plants, and more.”1
What the Law Requires
Reasonable Security Features: The law requires “[a] manufacturer of a connected device [to] equip the device with a reasonable security feature or features that are all of the following:
- Appropriate to the nature and function of the device.
- Appropriate to the information it may collect, contain, or transmit.
- Designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.”2
Connected Device: A connected device is defined as “any device, or other physical object that is capable of connecting to the Internet, directly or indirectly, and that is assigned an Internet Protocol address or Bluetooth address.”3
Authentication Outside of a Local Area Network: Connected devices are deemed to have a reasonable security feature if they are “equipped with a means for authentication outside a local area network” and either:
- “the preprogrammed password is unique to each device manufactured”; or
- “the device contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time.”4
Who the Law Applies To
Includes Manufacturers: The law defines a manufacturer as any person who “manufactures, or contracts with another person to manufacture on the person’s behalf, connected devices that are sold or offered for sale in California.”5 Thus, the law applies to companies that design or manufacture IoT devices, but potentially excludes retailers that merely buy the devices.
- Federally Regulated Devices: The law excludes connected devices that are “subject to security requirements under federal law, regulations, or guidance promulgated by a federal agency . . . .”6
- Health Providers: The law does not apply to entities and people subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) or the Confidentiality of Medical Information Act “with respect to any activity regulated by those actions.”7
- Electronic Stores: “This title shall not be construed to impose any duty upon a provider of an electronic store, gateway, marketplace, or other means of purchasing or downloading software or applications, to review or enforce compliance with this title.”8
How the Law is Enforced
The law does not provide a private right of action and is only enforceable by the Attorney General, a city attorney, a county counsel, or a district attorney. The CaSCD does not currently specify penalties for violating the law.
What this Means for You
Similar to the CaCPA, the CaSCD applies to companies worldwide but still has some ambiguities that may or may not be clarified through amendments. Unlike the CaSCD, there is at least some specific direction regarding what constitutes a “reasonable security feature” if the device employs authentication outside of a local area network. For companies that manufacture or commission the manufacturing of IoT devices, the CaSCD puts an end to a well-known flaw in IoT devices: universal default passwords. Companies that design or manufacture IoT devices should amend their practices accordingly, but should also be aware that the CaSCD is likely only the beginning of regulation of IoT device security. Congress is currently considering the IoT Cybersecurity Improvement Act of 2017, which would establish IoT security standards for companies selling connected devices to the federal government,9 and, the IoT Consumer TIPS Act of 2017, which would require the Federal Trade Commission to “develop voluntary education cybersecurity resources for consumers relating to the protection and use of the Internet of Things.”10
*Sean Belding is a law clerk in our Houston office.
1 Information Privacy: Connected Devices: Hearing on SB 327 Before the S., 2018 Leg. (Cal. 2018).
2 Cal. Civ. Code §§ 1798.91.04(a)(1)-(3).
3 Cal. Civ. Code § 1798.91.05(b).
4 §§ 1798.91.04(b)(1)-(2).
5 § 1798.91.05(c).
6 § 1798.91.06(d).
7 § 1798.91.06(h).
8 § 1798.91.06(b).
9 S. 1691, 115th Cong. (2017).
10 S. 2234, 115th Cong. § 3(b) (2017).
This information is provided by Vinson & Elkins LLP for educational and informational purposes only and is not intended, nor should it be construed, as legal advice.