When Governor Jerry Brown signed Assembly Bill 1906 and Senate Bill 327 into law on Friday, California took major strides toward regulating the Internet of Things, the network of internet-connected devices that includes everything from televisions and cars, to refrigerators, fitness trackers, and baby monitors. As of January 1, 2020, “reasonable security feature[s]” must be included in all “connected devices” sold or offered for sale in California, specifically those devices capable of connecting directly or indirectly to the internet and that have an IP or Bluetooth address.
What the new law requires
The legislation focuses in particular on user authentication, requiring the manufacturer of a connected device to equip the device with reasonable measures “appropriate to the nature and function of the device, appropriate to the information it may collect, contain, or transmit, [and] designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.” Notably, this requirement is not limited to devices that collect personal information; in fact, the legislation makes no reference to the concept of personal information. For devices “equipped with a means for authentication outside a local area network,” the law provides that either of the following will be deemed a reasonable security feature: the preprogrammed password is unique to each device manufactured, or the device contains a security feature that requires a user to create a new means of authentication before access is first granted. Beyond this, the legislation gives no guidance to manufacturers in determining what security measures will be considered “reasonable.”
The legislation does not include a private right of action and can only be enforced by the state attorney general, a county counsel or a district attorney. It does not regulate medical devices, nor does it apply to manufacturers who are already regulated by HIPAA or California’s health privacy law, with respect to any activity regulated by those laws. Connected devices whose functionality is subject to federal security requirements and regulations are also not subject to the new law.
A new direction for data security law
The legislation sets the standard that all connected devices need to include security measures for authentication, not only devices that handle personal information. In this respect, the bills are a significant departure from California’s approach to data security legislation to date, such as California’s general data security law (Cal. Civ. Code § 1798.71.5), which requires reasonable data security measures but only for higher-risk types of personal information covered by California’s security breach notification law. This new legislation requires reasonable security measures regardless of whether a device processes any personal information at all. While the bills may seem narrow on their face, they are a noteworthy new direction for security laws and could be the first of many efforts to shape data security requirements for emerging technologies.