The Internet of (Secure) Things: California Now Regulates Security of IoT DevicesJanuary 29, 2020 – Alerts
Much has been said, and written, about the California Consumer Privacy Act (CCPA), but less attention has been devoted to another important California law that took effect on Jan. 1, 2020 — the Internet of Things Security Law. As the first Internet of Things (IoT) law in the United States, it requires manufacturers that sell or offer to sell a connected device in California to equip the device with reasonable security features.
Does the Law Apply to You?
The law broadly applies to manufacturers that produce and sell connected devices themselves and those that manufacture connected devices on behalf of others. However, the law does not apply if the connected device is not sold or offered for sale in California.
The law also does not apply to manufacturers of connected devices that are subject to security requirements under federal law, manufacturers subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) or manufacturers subject to California’s Confidentiality of Medical Information Act.
What is a Connected Device?
A connected device is a device or other physical object that is capable of connecting directly or indirectly to the internet and is assigned an IP or Bluetooth address. This expansive definition arguably covers a wide range of devices, including connected vehicles, copiers, printers, televisions, fitness trackers, smart refrigerators, smart thermostats, light bulbs and smart watches.
What is Reasonable Security?
The law does not define “reasonable security.” To make this determination, businesses will need to assess the nature and use of the specific connected device and the security features implemented in the device. The law provides manufacturers broad parameters to evaluate reasonableness. To be a reasonable security feature, the feature must be:
- Appropriate to the nature and function of the device
- Appropriate to the information it may collect, contain, or transmit
- Designed to protect the device and information contained therein from unauthorized access, destruction, use, modification or disclosure
If a connected device is equipped with a means for authentication outside of a local area network, it must meet one of the following requirements before it shall be deemed to possess a reasonable security feature:
- It must have a preprogrammed unique password.
- The connected device must require a user to generate a new means of authentication before access is granted to the connected device for the first time.
To help in making a determination on reasonable security features, manufacturers can look to existing frameworks and standards such as the NIST Recommendations for IoT Device Manufacturers and the ENISA Good Practices for Security of IoT.
What if I’m Not in California?
California was the first, but not the only state to enact an IoT law. Oregon’s IoT law, passed after California’s, also took effect Jan. 1, 2020. The Oregon law requires connected devices used primarily for family, personal or household purposes to have reasonable security features.
While other states’ proposals are similar to California’s IoT law, there are key differences. Vermont, for example, dismisses the requirement of reasonable security, instead requiring specific security features for connected devices, including encryption for network communication functions, automatic security updates, strong passwords, vulnerability management, and a detailed privacy notice. The Massachusetts bill also presents its Department of Consumer Affairs and Business Regulation with the opportunity to adopt detailed regulations for safeguarding personal information and ensuring security of connected devices.
Kristen Ricci is an attorney in Fox Rothschild’s Privacy & Data Security Practice. For assistance with the full range of data privacy compliance issues, contact Kristen at [email protected] or 215.299.2095.