On September 28, 2018, California became the first state to enact legislation that governs cybersecurity measures on Internet of Things (IoT) devices, and it is sure to have implications nationwide. The law will take effect on January 1, 2020 and regulates “manufacturers of a connected device.” The statute defines “connected devices” as any device or physical object that can connect to the internet (directly or indirectly) and is assigned an IP address or Bluetooth address; this would encompass most devices that are considered part of the IoT. The law will require manufacturers to equip devices with reasonable security features that are “appropriate to the nature and function of the device and the information it may collect, contain or transmit” so as to prevent “unauthorized access, destruction, use, modification or disclosure.”
The statute doesn’t create a private right of action, thus vesting California state and local governments with the “exclusive authority” to enforce the statute through the California attorney general or a city attorney, county counsel, or district attorney. The statute further states that “manufacturer” does not mean someone who simply purchases an IoT device. The statute also doesn’t impose a duty on manufacturers for unaffiliated third-party software or applications installed by the user to the IoT device. The IoT law is exclusive of any obligation entities have under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) or California’s Confidentiality of Medical Information Act.
The statute does give some safe harbor protections. For one, for IoT devices “with a means for authentication” outside of a L.A.N., it defines reasonable security features as either a unique pre-programmed password, or a feature that “requires a user to generate a new means of authentication” before accessing the device for the first time (in layman’s terms, a two-factor authentication system).
So, manufacturers of connected devices have until January 1, 2020, to incorporate reasonable security features into their devices, such that the device and any information stored on the device are protected from unauthorized access, destruction, use, modification, or disclosure. Since the statute doesn’t define the term “information”, it will likely be construed broadly by the “exclusive authorities” regulating the IoT bill. Thus, manufacturers of connected devices that are sold or offered for sale in California, and collect any sort of information, should begin equipping each of the connected devices with a unique pre-programmed password or the ability to require the user to generate a new password when initially setting up the device, so as to fit within the law’s safe harbor protections.
If you seek advice on the California law or other IoT legal matters, please contact Ron Quirk at req@commlawgroup.com. Ron is an IoT attorney whose practice focuses on serving the complex legal and regulatory requirements of various IoT industry players. Ron specializes in broadband infrastructure siting, spectrum allocation, RF equipment authorization & marketing, cybersecurity, advocacy before the FCC, FTC, and state PUCs, licensing, and regulatory best practices.