Flickr photo by jjkbach, https://flic.kr/p/S9pzW

California Adopts Nation’s First IoT Security Law

On September 28, California governor Jerry Brown signed SB-327 into law, making California the first state to pass a cybersecurity law regarding connected devices, which comprise what is popularly known as the Internet of Things (IoT). SB-327was introduced in February 2017 and passed the California State Senate in late August. It will go into effect January 1, 2020, on the same day as California’s new Consumer Privacy Act (CCPA). While SB-327 creates baseline security standards for connected devices sold in California, there are mixed reactions from industry experts as to the effectiveness of the law’s protections. In addition, the passage of SB-327 could also spur increased attention to federal-level IoT legislation.

SB-327: History and Current Provisions

SB-327 was authored by Sen. Hannah-Beth Jackson (D-Santa Barbara). Early versions of the bill would have mandated a number of privacy requirements including alerts when connected devices were collecting information, direct consumer notification of security patches, and consumer consent to collect certain kinds of information. These requirements garnered criticism from tech industry trade associations, and in response,Sen. Jackson scaled back SB-327 to focus on data security.

The main provisions of SB-327 are relatively concise. The law covers connected devices, defined broadly as “any device or other physical object that is capable of connecting to the Internet, directly or indirectly.” Manufacturers of connected devices must equip them with “reasonable security feature[s],” which are:

  • Appropriate to the nature and function of the device,
  • Appropriate to the information [the device] may collect, contain, or transmit, and
  • Designed to protect the device and the information it contains from unauthorized access, destruction, use, modification, or disclosure.

If a connected device can be accessed outside a local network by some means of authentication, it must either have a preprogrammed password that is unique to each device manufactured, or require a user to generate a new means of authentication before the device can be used. Armin Tadayon, a Fellow at law firm ZwillGen, has noted that it remains unclear if this choice of authentication options is entirely sufficient to meet the 3-element reasonableness standard or is only a necessary part of compliance.

Finally, SB-327 expressly disclaims any basis for a private right of action, and it provides for enforcement only by the state Attorney General, a city attorney, a county counsel, or a district attorney. SB-327 does not contain any mandatory penalties.

Mixed Expert Opinions

Some industry observers have applauded SB-327 as a positive initial step in improving IoT security, while others have criticized it for vagueness and sidestepping core IoT security problems.

Cybersecurity expert Robert Graham has criticized SB-327 as “backwards looking” and too focused on adding vaguely-defined security features rather than removing insecure features. He claims the law’s reasonableness framework is concerned more with blaming IoT manufacturers for gaps in security than with establishing the most protection possible. While SB-327’s detractors grant that its requirement of unique passwords is a positive step, they argue that this is insufficient to counter rapidly evolving IoT threats. These detractorsseek specific standards for “appropriate” security procedures and a way to verify that manufacturers comply with those standards.

Proponents of SB-327, on the other hand, argue that this is an initial step in the right direction. Technologist Bruce Schneier of the Harvard Kennedy School told the Washington Post, “[o]f course it probably doesn’t go far enough—but that’s no reason not to pass it. It’s a reason to keep going after you pass it.” In addition to serving as an initial step into IoT legislation, proponents see SB-327’s language as flexible rather than inexact. Since IoT technology and its accompanying security threats change so quickly, supporters claim that avoiding an overly prescriptive statute will help ensure the law can keep pace with technological changes and avoid becoming outdated quickly.

Federal IoT Legislation

In addition to its direct effects on connected devices sold in California, SB-327 could prompt a renewed look at federal IoT legislation, in the same way that the passage of the CCPA spurred efforts to develop federal data privacy legislation. There are several IoT security bills pending in Congress: in the Senate, Sens. Mark R. Warner (D-Va.) and Cory Gardner (R-Colo.) have introduced the Internet of Things Cybersecurity Improvement Act. This bill would encourage IoT security development by requiring any business selling internet-connected devices to the federal government to ensure the devices are free of known security vulnerabilities, have changeable passwords, use industry-standard communication and encryption protocols, and are patchable. In the House, Rep. Jerry McNerney’s (D-Ca.) Securing IoT Act would require the FCC to create and use cybersecurity standards when certifying wireless equipment. Thus far, these bills have not gained much traction (in fact, SB-327’s introduction entirely predated both of these bills). It remains to be seen if SB-327’s passage will renew interest in this sphere of legislation.

 

Michael Rose

GLTR Editor; Georgetown Law, J.D. expected 2020; Harvard University, A.B. 2017. © 2018, Michael Rose