Consumers are increasingly embracing connected wearables and home appliances, such as fitness trackers and smart thermostats. According to one projection, at the end of 2018, the number of these “Internet of Things” (“IoT”) devices surpassed the number of mobile phones. By 2020, the worldwide installed IoT base is projected to grow to over 30 billion devices. IoT technology has the potential to usher in an era of enhanced convenience, safety, and efficiency, while also fueling the growing $4 trillion wellness economy. But IoT providers should also prepare themselves for a building wave of attention and regulation following a number of headline-grabbing incidents or breaches, such as the hacking of baby monitors and medical devices. Indeed, in less than a year, designing devices with “reasonable security features” like individualized preprogrammed passwords will be table stakes for IoT device manufacturers.
California is the first regulator in the United States to address these issues. Starting January 1, 2020, under a new state law (“SB-327”), any IoT-device manufacturer that wants to sell its products in California will have to equip those devices with “reasonable security feature[s]” or face enforcement from the California Attorney General and local officials. Because device manufacturers are unlikely to design products exclusively for California, SB-327 effectively sets the nationwide standard for IoT device security—at least for now. Manufacturers, consumers, and other entities in the IoT ecosystem should therefore make sure that they understand what this new law requires.
The primary directive in SB-327 is that IoT devices—defined as devices that are “capable of being connected to the Internet, directly or indirectly”—must be equipped with reasonable security features. These features must be:
- appropriate to the nature and function of the device,
- appropriate to the information the device may collect, contain or transmit, and
- designed to protect the device, as well as any data it stores, from unauthorized access, destruction, use, modification, or disclosure.
By defining the reasonableness of a security feature relative to the “nature and function” of the device, as well as the data the device collects and stores, SB-327 appears to afford manufacturers the flexibility to determine how much security is necessary. But the flip side of flexibility is regulatory uncertainty—what happens if the California attorney general disagrees with a manufacturer’s evaluation of the security needs for a particular device?
Manufacturers that want to avoid this uncertainty can rely on a safe harbor: An IoT device’s password will be deemed a reasonable security feature if either (1) each device is preprogrammed with a unique password or (2) the device requires a user to generate a new password before using the device for the first time. Hackers have referred to taking over devices with non-specific preprogrammed passwords as “hacking on easy mode.” In the Mirai botnet attack, for example, hackers took advantage of preprogrammed, easily searchable credentials to take over webcams and routers from which they launched cyberattacks that took down Netflix, Spotify and other major websites.
Reaction to the law has predictably been mixed. Some critics claim that SB-327 does not go far enough, arguing it should also ensure consumers do not adopt inadequate passwords and impose specific requirements for device security. Others have argued that the bill goes too far: In their view, the law is unnecessary because the Federal Trade Commission already requires manufacturers to implement reasonable protections, and additional requirements risk deterring or stifling innovation. These fault lines will no doubt continue as SB-327 is implemented and interpreted—and as other state legislatures and Congress take up IoT-device security issues in the near future.