Once upon a time, Larry Page said “you can’t have privacy without security.” California clearly agrees and may test the sincerity of Mr. Page and other tech leaders innovating in the field of connected devices with new legislation signed by Governor Brown in September.
With the ink barely dry on the infamous California Consumer Privacy Act (the CCPA)—a first-of-its-kind data privacy bill in the United States—Brown signed a new Internet of Things cybersecurity bill into law, SB 327. Perhaps not so coincidentally, both laws will take effect on January 1, 2020, marking a substantial compliance deadline for technology companies big and small.
SB 327 will require that a manufacturer of a “connected device” equip the device with a defined minimum amount of security. “Connected device” is defined quite broadly and as written encompasses “any device, or other physical object” with an IP-address or a Bluetooth address that can connect to the Internet “directly or indirectly,” which nowadays could be just about anything ranging from a garden hose to a Barbie doll.
Nearly everything we touch and with which we interact in our daily lives is now connected to and over the Internet—known as the Internet of Things (“IoT”). The new law addresses the fact that there is no real existing requirement for security standards in IoT devices, and the cause for concern is real. In 2016, hackers took advantage of unchanged default username and passwords in thousands of IoT devices to create the Mirai botnet, which was used to crash huge portions of the web. Meanwhile, nearly every day brings new articles detailing how an IoT-something-or-other (like a vacuum) can be used to spy on consumers due to security vulnerabilities.
With a recent report that IoT device malware has increased by three times in the last year, the need for a push like SB 327 is apparent. But will it work? The law states that the required “reasonable security feature or features” must be:
(1) Appropriate to the nature and function of the device;
(2) Appropriate to the information it may collect, contain, or transmit; and
(3) Designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.
The law goes on to include a carve out for those devices “equipped with a means for authentication outside a local area network” where such a device is deemed to have a reasonable security feature under the law if it meets either of two requirements:
(1) The preprogrammed password is unique to each device manufactured.
(2) The device contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time.
SB 327 has no private right of action, leaving enforcement in the hands of the California Attorney General. SB 327 also omits mention of any specific penalties for violations.
The world will have to wait until 2020 to see if either new California privacy law has teeth, however companies preparing for both laws should get started sooner rather than later. Those IoT devices already sold in California may have to be put to rest if they possess firmware issues that are noncompliant with SB 327. And manufacturers that rush the process may have to consider product end of life issues or face a possible enforcement action from the FTC.