Header graphic for print
Global Media and Communications Watch The International Legal Blog for the Tech, Media and Telecoms Industry
Posted in Data Protection & Privacy, Policy & Regulation Timothy TobinPaul Otto

California Passes First-Of-Its-Kind Law Focussed on Internet of Things Cybersecurity

Late last month, California Governor Jerry Brown signed the first US Internet of Things (IoT) cybersecurity legislation: Senate Bill 327 and Assembly Bill 1906. Starting on January 1, 2020, manufacturers of regulated connected devices are required to equip such devices with “reasonable security features” designed to protect a connected device and any information it holds from “unauthorized access, destruction, use, modification, or disclosure.” This legislation was prompted by what the bill’s sponsor viewed as a “lack of security features on internet connected devices undermin[ing] the privacy and security of California’s consumers.”

The new law regulates manufacturers of “connected device(s),” defined as devices that can directly or indirectly connect to the Internet and are assigned an Internet Protocol (IP) or Bluetooth address. The law likely applies primarily to manufacturers of consumer-facing connected devices, given the legislative history and text, although the language is quite broad. Notably, various exemptions apply, including those for:

  • unaffiliated third-party software or applications that a user adds to a connected device;
  • providers of means of purchasing or downloading software or applications, such as the provider of an electronic store or marketplace;
  • connected devices already subject to federal law or regulation promulgated by a federal agency; and
  • entities or persons subject to HIPAA or the California Confidentiality of Medical Information Act (CMIA), with respect to activity regulated by those laws.

The above exemptions likely exclude large numbers of existing connected devices, such as those regulated by the Food and Drug Administration (FDA) or the Office for Civil Rights (OCR) (the agency with HIPAA enforcement responsibility). However, some otherwise regulated connected devices that fall under an exemption may still be subject to the requirements of this law if those same devices are sold to and used by household consumers. For example, while a manufacturer of a HIPAA-regulated connected medical device appears to fall under an exemption to the extent that federal law applies, the manufacturer may nonetheless remain subject to the new CA IoT law for that device where the manufacturer engages in direct-to-consumer sales.

Although this new IoT law does not clearly define what constitutes a “reasonable” security feature, it specifies that any such feature must be:

  • appropriate to the nature and function of the device;
  • appropriate to the information the device may collect, contain, or transmit; and
  • designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.

In addition to the above-mentioned requirements, if a regulated connected device is capable of authentication outside a local area network, the device will be deemed to be equipped with a “reasonable security feature” if:

  • the preprogrammed password is unique to each device; or
  • a user is required to generate a new password before accessing the device for the first time.

Well before the January 1, 2020 implementation date, covered manufacturers are well advised to evaluate any existing security features on connected devices subject to this law to confirm that such features provide proper protection of the device and its information. It may be advisable to conduct a review of the design, development, and deployment of the security of connected devices and confirm baseline guidelines for security features.  To that end, organizations may find helpful recent draft guidance published by the US National Institute of Standards and Technology (NIST) on “Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks,” NISTIR 8228, which is open for public comment until October 24, 2018.