On September 28, 2018 California Gov. Jerry Brown signed into law two companion bills that regulate cybersecurity standards for Internet of Things (IoT) devices sold in California. S.B. 327 and A.B. 1906 (the “Bills”) require that manufacturers of connected devices sold in California outfit their products with “reasonable” security features by January 1, 2020, the same date the California Consumer Privacy Act will also take effect.
The Bills require a manufacturer of a connected device, to “equip the device with a reasonable security feature or features that are appropriate to the nature and function of the device, appropriate to the information it may collect, contain, or transmit, and designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure, as specified.” The legislation goes on to offer examples of a “reasonable” security feature, such as making the pre-programmed passwords unique to each device manufactured and requiring a new means of authentication before access can be granted to the device for the first time.
Under the new law “manufacturer” means the person who manufactures, or contracts with another person to manufacture on the person’s behalf, connected devices that are sold or offered for sale in California. A “contract with another person to manufacture” on the person’s behalf does not include a contract only to purchase a connected device, or only to purchase and brand a connected device. The scope of coverage of the new law applies to the person who manufactures or contracts with someone to manufacture the connected device for sale or offered for sale in California. For example, an electronic retailer such as Best Buy, does not have an obligation to review or enforce compliance with the bills.
According to Gartner, an estimated 20 billion devices will be online by 2020. As the first state or federal law to address IoT security, the California legislation will effectively become a standard for manufacturers of these devices. Currently, the IoT industry is largely self-regulated and governed by best practices as well as the Federal Trade Commission enforcement actions and guidance under its broad authority to police deceptive security practices.
As companies increasingly rely on data to drive business, it is key to incorporate Privacy by Design practices, international laws like the GDPR, and forthcoming domestic legislation into privacy programs. TrustArc has privacy expertise and powerful technology to help your company navigate this increasingly complex landscape – contact us to find out more.