California’s 'Other' Game-Changer: Complying with the New IoT Cybersecurity Law
When California Governor Jerry Brown signed Senate Bill 327 on September 28, California became the first state to enact legislation expressly governing cybersecurity measures that must be employed by manufacturers of Internet-connected “smart” devices, collectively known as the Internet of Things (IoT). The law, to be codified at California Civil Code Sections 1798.91.04–06, became effective on January 1, 2020.
The new law applies to any “manufacturer of a connected device,” which is defined as “the person who manufactures, or contracts with another person to manufacture on the person’s behalf, connected devices that are sold or offered for sale in California.” A “connected device” is “any device, or other physical object, that is capable of connecting to the Internet, directly or indirectly, and that is assigned an Internet Protocol address or Bluetooth address,” a definition that is broad enough to encompass most devices that are commonly considered part of the IoT.
Connected device manufacturers are required to “equip the device with a reasonable security feature or features” that must be “appropriate to the nature and function of the device [and] the information it may collect, contain, or transmit.” The reasonable security features must also be “[d]esigned to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.”
There are some safe harbors under the statute. For example, the following measures will be deemed reasonable security features for connected devices “with a means for authentication outside a local area network”:
- The preprogrammed password is unique to each device manufactured; or
- The device contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time.
The term “manufacturer” does not include those who simply purchase a connected device, or purchase and brand a connected device. The statute also does not impose a duty on the manufacturer of a connected device with respect to unaffiliated third-party software or applications that a user chooses to add to a connected device. The IoT law also does not apply to entities to the extent that they are subject to the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA) or California’s Confidentiality of Medical Information Act.
The IoT law does not create a private right of action. Instead, the California attorney general or a city attorney, county counsel, or district attorney will have “exclusive authority” to enforce the statute.
Thus, manufacturers of connected devices had to incorporate reasonable security features into their devices by the start of the year, such that the device and any information stored on the device are protected from unauthorized access, destruction, use, modification, or disclosure. Significantly, the term “information” is not defined by the statute. The statute, instead, uses broad terms such as “any information” and “the information it may collect, contain, or transmit.” Accordingly, the statute will likely be construed broadly by the attorney general or a city attorney, county counsel, or district attorney, instead of being limited to the protection of personal identifying information only. If the connected device could be understood as collecting any information, manufacturers of connected devices sold or offered for sale in California should address IoT law compliance by equipping each of the connected devices with a unique preprogrammed password or the ability to require the user to generate a new password when initially setting up the device, so as to fit within the law’s safe harbor.
The IoT law’s requirements seem to build upon prior laws and regulatory guidance. The law’s “reasonable security features” requirement resembles the “reasonable security” mandate of California Civil Code Section 1798.82.5, and its password requirement is similar to recommendations in the Federal Trade Commission’s 2015 guidance document on IoT, “Careful Connections: Building Security in the Internet of Things.” IoT device manufacturers may be able to limit exposure under the new law by obtaining certification from third-party organizations that have developed standards for security of connected devices, such as Underwriters Laboratory and wireless industry association CTIA. Like the recently enacted California Consumer Privacy Act (CCPA), it seems certain that the new IoT law will have a national impact—and will likely be viewed as the de facto national standard for the connected device industry.
The good news for IoT manufacturers is that the IoT law’s “reasonable security” requirement is fairly vague, which will allow the law to keep pace with advances in technology. The vague standards also leaves much room for interpretation. The bad news for IoT manufacturers is that the vagueness of the “reasonable security” standard provides little comfort that an IoT device’s security will ultimately withstand regulatory challenge, except with respect to the more specific password/authentication provisions.
As is so often the case, a privacy or cybersecurity legislative innovation that starts in California doesn’t remain unique to California for long. Bill 2395, signed into law by Oregon Governor Kate Brown in May 2019, also went into effect on January 1 and imposes IoT cybersecurity requirements. Mandated safeguards should defend against “unauthorized access, destruction, use, modification or disclosure” of information.