California IoT Security Law Cheat Sheet
Perhaps forgotten in coverage on the California Consumer Privacy Act (CCPA), also effective January 1, 2020 is the California Internet of Things Security Law (the Act). The first IoT security law in the nation, the Act requires all “connected devices” sold or offered for sale in California to have “reasonable security” measures. Thus, this law applies to any Bluetooth or other device assigned an IP address, including medical devices, copy machines, headsets, automobile entertainment centers, smart watches, smart appliances, etc.
What is the California Internet of Things (IoT) Security Law?
Signed into law on September 28, 2018, the California IoT Security Law is the first IoT law in the nation that requires all “connected devices” sold or offered for sale in California to have “reasonable security” measures. The law does not create a private cause of action. Instead, the Act’s requirements are to be enforced by the California Attorney General, or by a city attorney, a county counsel, or a district attorney. The law goes into effect January 1, 2020.
What Businesses are Regulated by the California IoT Security Law?
The statute has a broad definition for “connected device,” defining the term as “any device, or other physical object that is capable of connecting to the Internet, directly or indirectly, and that is assigned an Internet Protocol address or Bluetooth address.” This may include copy machines, Bluetooth devices, personal fitness devices, medical devices, televisions, printers, appliances, and more. The Act defines “manufacturer” as a “person who manufactures, or contracts with another person to manufacture on the person’s behalf, connected devices that are sold or offered for sale in California.”
The Act does not impose duties upon a provider of an electronic store, gateway, marketplace, or other means of purchasing or downloading software or applications to review or enforce compliance” under the Act. Nevertheless, companies who buy or sell any devices that may include IoT should review and negotiate their contracts to address these requirements to demonstrate their own reasonable cybersecurity measures, and in fact, may be required to under other laws and regulations.
Reasonable Security Requirements
The California IoT Security Law requires manufacturers of connected devices to equip such devices “with a reasonable security feature or features that are all of the following:
- Appropriate to the nature and function of the device.
- Appropriate to the information it may collect, contain, or transmit.
- Designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.
Subject to these requirements, if a connected device is equipped with a means for authentication outside a local area network, to be deemed a “reasonable security” measure, the feature must meet one of the following requirements:
- The preprogrammed password is unique to each device manufactured; or
- The device contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time.