Senate Bill 327, signed by the governor on Aug. 28, sets up a simple framework
It’s an old schtick at this point.
A legislator, perhaps playing the role of a commonsense reformer, wheels a thousand (or two or three)-page stack of papers into a press conference: the entire text of a law that he or she opposes, made concrete and visible. The legislator then bemoans the unnecessary bureaucracy and regulation that demanded such a tidal wave of ink and warns about the red tape that will stifle us all if the bill passes.
The California State Senate has turned this unfortunate image on its head with Senate Bill No. 327, which passed and was signed in by Governor Jerry Brown on Aug. 28. The law will not be in effect until Jan. 1, 2020.
Simple ≠ Easy
The bill, which addresses an enormously complex issue − security requirements for connected devices networked across the Internet of Things − is a masterpiece of simplicity. Aside from a few adjustments and definitions, the law simply requires connected device manufacturers to provide “reasonable” security features that are appropriate to the function of the device and the information it may store or traffic, and to protect the device and any information contained therein from unauthorized access or destruction.
The bill goes on to state that when it comes to connected devices with the “means for authentication outside a local area network,” either assigning a unique default password for each individual device or requiring a user to generate a new means of authentication upon first access will meet the definition of a “reasonable” security feature.
And that’s about it.
Given the contentious nature of American political life, there are surely those who will protest the simplicity of the law; how can legislation that is so schematic address the incredible complexity of security issues in a world where appliances and cars and clothing gather information and communicate incessantly?
But consider a problem that the law already addresses. One of the Internet’s most famous and persistent security vulnerabilities is the fact that many existing connected devices − the router in your home network, for instance − ship with easy-to-guess user IDs and passwords (“admin” and “password” being notorious examples). That practice will have to be abandoned under this bill.
Beyond that, there is much about the Internet of Things that we cannot yet imagine, but that may be why the law was construed in such a broad fashion − as the complexity of the connected world increases, the idea of what a “reasonable” security feature is will have to change. Not to mention the different security standards that would apply to devices that have disparate functions and uses.
California Senate Bill No. 327 is the first state law of its kind, and follows on the heels of the California Consumer Privacy Act of 2018, which was signed into law in June. As always, expect the provisions of California’s approach to these laws to have an outsized effect on the rest of the nation.