Beginning in January 2020, two states will begin regulating the Internet of Things (IoT).
California enacted its law last year, which applies to “any device, or other physical object that is capable of connecting to the Internet, directly or indirectly, and that is assigned an IP or Bluetooth address.”
The definition encompasses everything from thermostats to televisions to fitness trackers, refrigerators, automobiles, security cameras, and devices such as the Amazon Echo and Google Home.
Manufacturers of connected devices are required to implement “reasonable” security features that are appropriate to the nature and function of the device; appropriate to the information collected by, contained in or transmitted by the device; and designed to protect the device and information it contains from unauthorized access, destruction, use, modification or disclosure. The new law also mandates that each connected device must be equipped with a password to authenticate the user before she is granted access to the device for the first time. The password can be either a unique preprogrammed password or a user-generated means of authentication.
California included some exemptions for entities and business associates covered by the Health Insurance Portability and Accountability Act, as well as “any connected device the functionality of which is subject to security requirements under federal law, regulations or guidance promulgated by a federal agency pursuant to its regulatory enforcement authority.”
Enforcement of the law rests with the state’s attorney general, city attorneys, county counsel and district attorneys. No private right of action was included.
The law enacted in Oregon covers similar territory but has a few key differences. The definition of a connected device covers the same range of gadgets but contains a limitation for devices that are used “primarily for personal, family or household purposes.” And while it also requires the use of “reasonable security features,” the Oregon law attempts to define the term.
Specifically, “reasonable security features” includes “(a) a means for authentication from outside a local area network, including (1) a preprogrammed password that is unique for each connected device; or (2) a requirement that a user generate a new means of authentication before gaining access to the connected device for the first time; or (b) compliance with requirements of federal law or federal regulations that apply to security measures for connected devices.” A preprogrammed unique password, or the requirement that a new user of the device generate a new means of authentication prior to using the device for the first time, ensures that a smart device won’t have the same default password as everyone else’s device. These features also provide additional security so that an IoT device will be less susceptible to spying or hacking. Given that the estimated number of IoT devices around the world is in the billions, and that people value the convenience of the devices but don’t want to sacrifice privacy, it’s more important than ever that IoT devices be developed with reasonable security features.
Another unique feature of the bill is that a violation will be considered “an unlawful trade practice” under Oregon’s consumer protection law (ORS 646.607), which provides a private right of action.
To read the California law, click here.
To read the Oregon law, click here.
Why it matters: Back in January 2015, the Federal Trade Commission (FTC) was the first to jump on the IoT bandwagon, releasing a report1 calling on companies that develop Internet connected devices to take proactive steps to protect consumers’ privacy and keep their data secure. California and Oregon are the first two states to regulate IoT devices, but this is just the beginning, as many more states will seize the opportunity to require that reasonable security measures be taken in the development of products that are capable of Internet connections.