On January 1, 2020, California became the first state to specifically regulate the security of web-connected devices – commonly called “Internet of Things” (IoT) devices.
The new law, Cal. Civ. Code § 1798.91.04, says that:
A manufacturer of a connected device shall equip the device with a reasonable security feature or features that are all of the following:
- Appropriate to the nature and function of the device.
- Appropriate to the information it may collect, contain, or transmit.
- Designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.
It’s deemed a “reasonable” security feature if either of the following requirements are met:
- The preprogrammed password is unique to each device manufactured.
- The device contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time.
A “connected devices” is “any device or other physical object that’s capable of connecting to the Internet, directly or indirectly, and that’s assigned an Internet Protocol address or Bluetooth address.”
This includes a broad range of devices, including “old school” technology like printers as well as newer technology such as “smart” refrigerators and digital assistants like Alexa.
(The hacking of a smart fridge network was a plot point on HBO’s Silicon Valley.)
The new California IoT law doesn’t apply to devices that are regulated by federal law, such as medical devices.
(The hacking of the Vice-President’s internet-connected pacemaker was a plot point in the series Homeland.)
The new law will be enforced by California’s Attorney General and does not provide for private rights of action by consumers affected by failures to comply with the law.
An Oregon IoT law, passed after California’s, also took effect on January 1. The Oregon law applies only to devices used primarily for family, personal, or household purposes.
The UK is also apparently planning to provide similar IoT device regulations.
Just like the haiku above, we like to keep our posts short and sweet. Hopefully, you found this bite-sized information helpful. If you would like more information, please do not hesitate to contact us here.
