The growing network of internet of things (IoT) devices is expected to reach 30 billion devices by 2020. Despite this tremendous growth, the state of IoT regulation is patchwork at best. Although the FTC is the primary security regulator for consumer IoT devices, there are no comprehensive regulations or laws specific to the unique challenges of the IoT market. This absence of clear and unambiguous standards can be a burden for IoT companies who are looking to innovate while maintaining their customers’ privacy.
NIST initiatives in IoT
To help offer consistent guidance regarding the privacy and security of IoT devices, the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) recently launched a collaborative project to develop a voluntary privacy framework to help organizations manage risk in IoT devices. On October 16, 2018, in conjunction with the International Association of Privacy Professionals’ Privacy, NIST will begin holding a series of public workshops to collect input from stakeholders. These workshops seek to develop practical tools and recommendations to support continued U.S. innovation, while ensuring stronger privacy protections.
California Legislature Takes Aim at IoT Privacy Regulations
Months after passing the sweeping California Consumer Privacy Act of 2018 (“CCPA”), the California legislature once again is proposing potentially significant privacy and security requirements. As the summer closed, the legislature passed companion bills (CA AB 1906 and CA SB 327) that are intended to regulate the security of connected devices. If signed by Governor Brown, the legislation would go into effect on the same day as the CCPA, January 1, 2020.
The requirements contained in the companion bills are additive to any duties or obligations imposed under other laws, including the CCPA. A connected device, as defined in the bills, is any device or other physical object that is capable of connecting to the Internet, directly or indirectly, and that is assigned an Internet Protocol address or a Bluetooth address. Given this broad definition, it could apply to any device that is capable of connecting to the Internet or to another device, including cell phones, toys, computers, and almost certainly most smart home devices.
The bills require manufacturers of connected devices to equip the devices with “reasonable security features” that are:
- appropriate to the nature and function of the device;
- appropriate to the information it may collect, contain, or transmit; and
- designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.
Subject to the requirements above, if a connected device is equipped with a means for authentication outside a local area network, this is considered a “reasonable security feature” if either:
- the preprogrammed password is unique to each device manufactured; or
- the device contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time.
Notably, medical devices and other items subject to federal standards would be exempt from the bill. The bills do not provide a separate specific private right of action, but the bill provides for enforcement by the Attorney General, a city attorney, a county counsel, or a district attorney. The bills also do not address civil penalties or remedies that may result from enforcement. However, it is possible that the requirement to implement reasonable security measures could be used to establish a legal duty in data breach cases and other privacy claims, even when enforced by consumers. As with other emerging privacy laws, this could lead to an increase in privacy litigation perhaps well beyond California.