Device manufacturers have a little over a year to prepare for the first state law regulating the security of Internet of Things devices

Effective January 1, 2020, California law will require manufacturers of most Internet of Things (IoT) and Bluetooth connected devices to implement one or more "reasonable security features." The law, the first IoT security law in the country, was signed by California Governor Jerry Brown in late September. The law is not prescriptive, except that it implicitly prohibits pre-programming remotely connected devices with the same password unless users are required to change the password before accessing the device or the first time.

The law is very likely to drive greater consideration of the security of connected devices. Although not enforceable by the plaintiffs' bar, it may be enforced by the California State Attorney General's office, as well as county, city and district attorney's offices. Enforcement actions are foreseeable, most notably if devices are hacked in a manner that prompts either a notifiable data breach or some sort of material malfunction of the device or a botnet attack that causes economic or physical harm.

The law covers most devices sold or offered for sale in California that "connect to the Internet directly or indirectly" and that are "assigned an [IP] address or Bluetooth address," Civ. Code § 1798.91.05(b), except for devices whose functionality is subject to federal security requirements or enforceable guidance.

1. THE SECURITY OBLIGATIONS

The law requires that the security feature(s) be: (1) "Appropriate to the nature and function of the device, and . . . the information the device may collect, contain, or transmit"; and (2) "Designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure. Civ. Code § 1798.91.04(a)(1)-(3). The first of these requirements is clearly risk-based. However, the second does not seem to be.

For devices that are authenticated remotely ("equipped with a means for authentication outside a local area network"), the law states that is a reasonable security feature if either: "(1) The preprogrammed password is unique to each device manufactured; or (2) The device contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time." § 1798.91.04(b)(1)-(2). However, compliance is still "subject to the [other] security requirements." Id.

2. SCOPE

These obligations apply to manufacturers and OEMs – any entity that either: a) manufacturers or b) contracts to manufacture any device or physical object capable of connecting to the internet, and that is assigned an IP address or a Bluetooth address. § 1798.91.04(b).

They do not apply, however, to downstream purchasers of connected devices, unless they contracted for the manufacturing of the device. Furthermore, manufacturers and OEMs are not liable for "unaffiliated third party software or applications that a user chooses to add to a connected device" and retailers and online marketplaces are exempt. §1798.91.06(a) and (b).

Significantly, the law specifically exempts devices whose functionality is subject to a security requirement under federal law, regulations or guidance issued by a federal agency under its regulatory enforcement authority. § 1798.91.06(c). This exception means that at least devices designed for use by federally-regulated critical infrastructure operators (such as cable or telco operators, or electrical grid operators) will be exempt from the law. Note, however, that security regulation by California (other than the Confidentiality of Medical Information Act, as discussed in the next paragraph) or another state will not qualify for an exception.

Finally, the law exempts "any person whose activities are regulated by HIPAA or the Confidentiality of Medical Information Act." § 1798.91.06(h). This exception applies even if those entities are themselves device manufacturers, and thus provides an unqualified exemption for medical device manufacturers.

3. FURTHER LIMITATIONS

The law has extensive limitations that serve to narrow both the scope and the enforcement of the statute. Among the most notable:

Manufacturers are not responsible for unaffiliated third-party apps that users voluntarily add to their devices, and have no duty to prevent user modifications of their devices. § 1798.91.06(a), (c).
Retailers and online marketplaces are not responsible for manufacturer noncompliance. § 1798.91.06(b).
The law does not provide the basis for a private right of action for noncompliance. The Attorney General, city attorney, county counsel, or district attorney have exclusive authority to enforce the law. § 1798.91.06(e).
The law does not create an obstacle to law enforcement agencies obtaining information related to a connected device from manufacturer. § 1798.91.06(g).

4. EFFECTIVE DATE

Manufacturers of smart devices and those who contract to have smart devices manufactured have until January 1, 2020 to ensure their smart devices are produced with reasonable security features. The delayed date was intended to accommodate manufacturers of devices in later stages of production as of the date of enactment.

Register now for your free, tailored, daily legal newsfeed service.

Device manufacturers have a little over a year to prepare for the first state law regulating the security of Internet of Things devices

Filed under

Topics

Popular articles from this firm

Penny Phase-Out Creates Multistate Sales Tax Compliance Challenges *

Uncharted waters: Exploring the underlying world of seabed mining *

DOJ announces its first Department-wide Corporate Enforcement Policy: What companies need to know *

CalPrivacy Continues Enforcement Momentum: Settlement Over Opt-Out of Sale/Sharing Violations *

Horizon - News and Trends in Sustainability Law : February 2026 *

Professional development

Related practical resources PRO

Related research hubs

Data breach

Internet of Things

USA

Internet & Social Media

IT & Data Protection