Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
CybersecurityManagementTechnologies & SolutionsSecurity Enterprise ServicesSecurity Leadership and ManagementLogical SecuritySecurity & Business ResilienceCybersecurity News

California’s 'Other' Game-Changer: Complying with the New IoT Cybersecurity Law

By Reece Hirsch
internet of things
February 11, 2020

When California Governor Jerry Brown signed Senate Bill 327 on September 28, California became the first state to enact legislation expressly governing cybersecurity measures that must be employed by manufacturers of Internet-connected “smart” devices, collectively known as the Internet of Things (IoT). The law, to be codified at California Civil Code Sections 1798.91.04–06, became effective on January 1, 2020.

The new law applies to any “manufacturer of a connected device,” which is defined as “the person who manufactures, or contracts with another person to manufacture on the person’s behalf, connected devices that are sold or offered for sale in California.” A “connected device” is “any device, or other physical object, that is capable of connecting to the Internet, directly or indirectly, and that is assigned an Internet Protocol address or Bluetooth address,” a definition that is broad enough to encompass most devices that are commonly considered part of the IoT.

Connected device manufacturers are required to “equip the device with a reasonable security feature or features” that must be “appropriate to the nature and function of the device [and] the information it may collect, contain, or transmit.” The reasonable security features must also be “[d]esigned to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.”

There are some safe harbors under the statute. For example, the following measures will be deemed reasonable security features for connected devices “with a means for authentication outside a local area network”:

  1. The preprogrammed password is unique to each device manufactured; or
  2. The device contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time.

The term “manufacturer” does not include those who simply purchase a connected device, or purchase and brand a connected device. The statute also does not impose a duty on the manufacturer of a connected device with respect to unaffiliated third-party software or applications that a user chooses to add to a connected device. The IoT law also does not apply to entities to the extent that they are subject to the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA) or California’s Confidentiality of Medical Information Act.

The IoT law does not create a private right of action. Instead, the California attorney general or a city attorney, county counsel, or district attorney will have “exclusive authority” to enforce the statute.

Thus, manufacturers of connected devices had to incorporate reasonable security features into their devices by the start of the year, such that the device and any information stored on the device are protected from unauthorized access, destruction, use, modification, or disclosure. Significantly, the term “information” is not defined by the statute. The statute, instead, uses broad terms such as “any information” and “the information it may collect, contain, or transmit.” Accordingly, the statute will likely be construed broadly by the attorney general or a city attorney, county counsel, or district attorney, instead of being limited to the protection of personal identifying information only. If the connected device could be understood as collecting any information, manufacturers of connected devices sold or offered for sale in California should address IoT law compliance by equipping each of the connected devices with a unique preprogrammed password or the ability to require the user to generate a new password when initially setting up the device, so as to fit within the law’s safe harbor.

The IoT law’s requirements seem to build upon prior laws and regulatory guidance. The law’s “reasonable security features” requirement resembles the “reasonable security” mandate of California Civil Code Section 1798.82.5, and its password requirement is similar to recommendations in the Federal Trade Commission’s 2015 guidance document on IoT, “Careful Connections: Building Security in the Internet of Things.” IoT device manufacturers may be able to limit exposure under the new law by obtaining certification from third-party organizations that have developed standards for security of connected devices, such as Underwriters Laboratory and wireless industry association CTIA. Like the recently enacted California Consumer Privacy Act (CCPA), it seems certain that the new IoT law will have a national impact—and will likely be viewed as the de facto national standard for the connected device industry.

The good news for IoT manufacturers is that the IoT law’s “reasonable security” requirement is fairly vague, which will allow the law to keep pace with advances in technology. The vague standards also leaves much room for interpretation. The bad news for IoT manufacturers is that the vagueness of the “reasonable security” standard provides little comfort that an IoT device’s security will ultimately withstand regulatory challenge, except with respect to the more specific password/authentication provisions.

As is so often the case, a privacy or cybersecurity legislative innovation that starts in California doesn’t remain unique to California for long. Bill 2395, signed into law by Oregon Governor Kate Brown in May 2019, also went into effect on January 1 and imposes IoT cybersecurity requirements.  Mandated safeguards should defend against “unauthorized access, destruction, use, modification or disclosure” of information.

KEYWORDS: CCPA cyber security cybersecurity Internet of Things (IoT) manufacturing security

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Reece Hirsch is a partner in the San Francisco, Calif. office of Morgan Lewis and co-head of the firm’s Privacy & Cybersecurity practice. He can be reached at reece.hirsch@morganlewis.com.

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Top Cybersecurity Leaders
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Security Enterprise Services
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    New Security Technology
    By: Charles Denyer
Subscribe For Free!
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

  • Duty of Care
    Sponsored byAMAROK

    Integrating Technology and Physical Security to Advance Duty of Care

Popular Stories

Pills spilled

More than 20,000 sensitive medical records exposed

Laptop in darkness

Verizon 2025 Data Breach Investigations Report shows rise in cyberattacks

Coding on screen

Research reveals mass scanning and exploitation campaigns

White post office truck

Department of Labor Sues USPS Over Texas Whistleblower Termination

Computer with binary code hovering nearby

Cyberattacks Targeting US Increased by 136%

2025 Security Benchmark banner

Events

May 22, 2025

Proactive Crisis Communication

Crisis doesn't wait for the right time - it strikes when least expected. Is your team prepared to communicate clearly and effectively when it matters most?

September 29, 2025

Global Security Exchange (GSX)

 

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • person uses virtual reality headset

    The metaverse: Tech game-changer or security nightmare?

    See More
  • iot-enews

    IoT Cybersecurity Improvement Act signed into law

    See More
  • camera-freepik1170x658v67.jpg

    Understanding and complying with the NDAA’s Section 889

    See More
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing