On September 28, 2018 California Governor Jerry Brown signed into law the first law in the United States governing the security of connected devices, set to take effect on January 1, 2020. The law places a burden on manufacturers of so-called “connected devices” to determine if changes to their security measures are required. The law applies to a broad range of “connected devices” and necessitates “reasonable” security. Quarles & Brady is working with manufacturers to determine whether products are covered and the “reasonableness” of security measures relative to the new law. Only a little over a year is provided to make any necessary security changes to products.
What is a Connected Device?
A connected device, sometimes called a “smart device” or “Internet of Things” (“IoT”) device, is any device or physical object that can connect to the internet and is assigned an IP address or Bluetooth address. There are countless examples of connected devices such as thermostats, cars, lights, appliances, watches, toys, and webcams.
What Does the Law Require?
California’s new connected device law requires manufacturers of connected devices to “equip the device with a reasonable security feature or features that are all of the following:
- appropriate to the nature and function of the device;
- appropriate to the information it may collect, contain, or transmit; and
- designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.”
If the connected device is equipped with a means for authentication outside a local area network, use of either of the following is deemed a “reasonable security feature”: (a) a preprogrammed password unique to each device manufactured, or (b) a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time.
In other words, as one option for reasonable security, the law contemplates either the manufacturer providing a unique password for each connected device or requiring the users to set a unique password prior to use of each connected device.
Does the California Connected Device Law Apply to Me?
The California connected device law applies to you if you manufacture connected devices, or contract with a third party to manufacture connected devices on your behalf, and those connected devices are sold or offered for sale in California.
The new law applies in the context of “manufacturing” and does not apply if you merely purchase a connected device and brand it with your logo. However, it is unclear how this exception will be interpreted because contracting with a third party to manufacture on your behalf does trigger application of this law.
Although the California connected device law has been met with mixed reactions, manufacturers will bear the burden of the effects of this new law. Manufacturers need to determine if this new law is applicable to them and re-evaluate the security of their connected devices. Quarles & Brady is working with manufacturers to make these determinations now, since only a little over a year is provided to make any necessary security changes to products.