Long a pioneer in consumer protection legislation, California has moved to the front of the line in regulating the so-called Internet of Things. On September 28, 2018, Governor Jerry Brown signed a landmark cybersecurity bill that makes California the first state to pass legislation regulating internet-connected devices, beating even the federal government to the punch. The law comes at a time when more and more internet-connected products are hitting the shelves and entering our homes. For example, just this past September, Amazon introduced a number of new Alexa-enabled products, including subwoofers, clocks and car gadgets. Policymakers have expressed growing concern over the security of internet-connected devices and their potential vulnerability to cyberattacks and other abuses, and California has taken the first steps toward addressing those concerns through legislation.
Effective January 1, 2020, Senate Bill No. 327 Information Privacy: Connected Devices (SB 327) will require a “manufacturer” of a “connected device” to equip the device with a reasonable security feature or features. For purposes of SB 327, “connected device” includes a wide variety of devices, covering any physical object that is capable of connecting directly or indirectly to the internet and has an internet protocol (IP) or Bluetooth address. “Manufacturer” refers to any person who manufacturers, or contracts with any person to manufacture, connected devices that are sold in California.
Under the new law, to meet the “reasonable security features” standard, the product’s security measures must be:
- appropriate to the nature and function of the device;
- appropriate to the information it may collect, contain or transmit; and
- designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification or disclosure.
In addition to those general guidelines, SB 327 adds an additional specific requirement for passwords. If accessible outside of a local area network, to meet the “reasonable security features” standard, the device must have either preprogrammed passwords that are unique to each device (so, no more default login credentials), or a way to generate new authentication credentials before accessing it for the first time. This specific provision of SB 327 addresses concerns around the relative ease with which default passwords can be guessed by hackers.
Early reactions to the bill by industry participants are mixed, with some praising the flexibility of the general guidelines and others maintaining that the lack of flexibility will make the law hard to interpret. We will keep you informed of further developments as SB 327 is applied by regulators and the courts and guidance is issued so that you can be in the best position to comply.