What’s the deal with California’s new IoT security law?

The bill, now enacted, stated that “a manufacturer of a connected device, as those terms are defined, to equip the device with a reasonable security feature or features that are appropriate to the nature and function of the device, appropriate to the information it may collect, contain or transmit, and designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification or disclosure, as specified.”

This is not the first time US lawmakers have addressed IoT manufacturers in an attempt to regulate the connected landscape. Senator Warner (D-VA) introduced in March 2019 the Internet of Things Cybersecurity Improvement Act of 2019 to require enhanced security measures from IoT device manufacturers. California, by virtue of being the world’s fifth largest economy, has put its own stamp on the matter with the new regulations that took effect Jan. 1, 2020.

Critics say the new law leaves an open question regarding a clear definition of key terms such as “reasonable security feature” and “connected device,” making future steps unclear. Additionally, the law does not only address consumer devices, but it impacts an overwhelmingly number of different devices sold in the state.

“The definition of “connected device” is fairly clear in the law’s language, but has some potential gaps,” according to Adrian Sanabria, advocate for Thinkst Applied Research. “There are many examples of IoT devices that don’t connect to the Internet (and would therefore be exempt from this law) that could be attacked if anyone is in physical proximity to them,” he said, noting that devices such as headphones with built-in microphones as an example of devices that might-or might not-be exempt.

According to the law, any equipment that connects to the internet and has an IP or Bluetooth address is considered a connected device, including printers, PoS terminals, medical equipment, fridges, smart light bulbs and smart watches. Additionally, hard-coded passwords, also known as embedded credentials, are not accepted as security standards under the new law, and, to be activated, devices will need to have unique passcodes.

Is it just a matter of device authentication to enable a quick fix or is the industry looking at a more stringent approach for connected devices sold across the state such as creating a special line of products? There’s no clear answer to that question yet.

Another question: what happens if there is a violation of the law? The government is the only institution that can run investigations under the law, as it can only be enforced by the California Attorney General, city attorneys, county councils and district attorneys, and does not give the right of private action. Manufacturers will have to share data with law enforcement if authorized by a court order.

As of January 2020, enterprises trying to do business in California will not only have to deal with new guidelines and responsibilities under the IoT cybersecurity law, but also with the separate matter of the California Consumer Privacy Act (CCPA) which addresses data privacy and security. There are some valid, pressing issues that the California legislature has tried to address with these two laws in the absence of federal leadership on matters of privacy and security. Still, there are clearly many new issues of interpreting and enforcing the law that are raised with the implementation of CCPA and SB 327.

What is the law missing? How will it affect manufacturers and what does “reasonable security feature” even mean? At national level, how will the new restrictions affect manufacturers’ product offering in a constant struggle to satisfy consumer expectations? Thinkst’s Sanabria offers his in-depth response to these questions in this related article.

Article Topics

analysis  |  cybersecurity  |  data  |  edge computing  |  IIoT  |  information security  |  IoT  |  law  |  privacy  |  regulations  |  Thinkst Applied Research