California Gov. Jerry Brown recently signed cybersecurity legislation that requires manufacturers of internet connected devices (IoT) to equip these devices with reasonable security features. California broke new ground with the legislation, becoming the first state in the country to regulate Internet connected devices.
Assembly Bill 1906 and Senate Bill 327
The bills are virtually identical and passage of both was required for either to become law. The legislation was prompted by what the sponsors said was a “lack of basic security features” on internet connected devices.
Both require companies that make Internet-connected devices to equip them with “a reasonable security feature or features” that are designed to protect the device and any information that it contains from unauthorized access or use. Connected devices are broadly defined as any device capable of connecting to the Internet and has an IP or Bluetooth address. In addition to smartphones and laptops, household devices such as televisions and microwave could also meet this definition.
The legislation’s “reasonable” security requirement will be met if the pre-programmed password is unique to each device, or if the device has a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time. So, devices can’t all come with “1234” as the initial password, unless that password must be changed before use.
The law applies to any company that manufactures connected devices sold in California. Various exceptions apply, including those for:
Manufacturers of a connected device related to unaffiliated third-party software or applications that a user chooses to add to a connected device;
Providers of an electronic store, gateway, marketplace, or other means of purchasing or downloading software or applications;
Connected devices that are already subject to security requirements under federal law; and
Health care providers or any other person subject to the federal HIPPA law or the Confidentiality of Medical Information Act.
The new law comes on the heels of the California Consumer Privacy Act, a data-privacy law passed in June that provides consumers with various rights relating to their personal information, including the right to know what personal information a business has collected about them.
When the cybersecurity law takes effect on Jan. 1, 2020 its impact will be national, as most companies want to sell their devices in California. Manufacturers would be well-served to evaluate, well in advance, the security features on connected devices to make sure they are in compliance.