As of January 1, 2020, manufacturers of internet-connected devices sold or offered for sale in California must follow new state legislation governing cybersecurity measures, including a requirement to equip devices with reasonable security features designed to protect the device and any information contained therein.
When Governor Jerry Brown signed Senate Bill 327 on September 28, California became the first state to enact legislation expressly governing cybersecurity measures that must be employed by manufacturers of internet-connected “smart” devices, collectively known as the Internet of Things (IoT). The law, to be codified at California Civil Code Sections 1798.91.04–06, will take effect January 1, 2020.
The new law applies to any “manufacturer of a connected device,” which is defined as “the person who manufactures, or contracts with another person to manufacture on the person’s behalf, connected devices that are sold or offered for sale in California.” A “connected device” is “any device, or other physical object, that is capable of connecting to the Internet, directly or indirectly, and that is assigned an Internet Protocol address or Bluetooth address,” a definition that is broad enough to encompass most devices that are commonly considered part of the IoT.
Connected device manufacturers are required to “equip the device with a reasonable security feature or features” that must be “appropriate to the nature and function of the device [and] the information it may collect, contain, or transmit.” The reasonable security features must also be “[d]esigned to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.”
There are some safe harbors under the statute. For example, the following measures will be deemed reasonable security features for connected devices “with a means for authentication outside a local area network”:
The term “manufacturer” does not include those who simply purchase a connected device, or purchase and brand a connected device. The statute also does not impose a duty on the manufacturer of a connected device with respect to unaffiliated third-party software or applications that a user chooses to add to a connected device. The IoT law also does not apply to entities to the extent that they are subject to the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA) or California’s Confidentiality of Medical Information Act.
The IoT law does not create a private right of action. Instead, the California attorney general or a city attorney, county counsel, or district attorney will have “exclusive authority” to enforce the statute.
Thus, manufacturers of connected devices have until January 1, 2020, to incorporate reasonable security features into their devices, such that the device and any information stored on the device are protected from unauthorized access, destruction, use, modification, or disclosure. Significantly, the term “information” is not defined by the statute. The statute, instead, uses broad terms such as “any information” and “the information it may collect, contain, or transmit.” Accordingly, the statute will likely be construed broadly by the attorney general or a city attorney, county counsel, or district attorney, instead of being limited to the protection of personal identifying information only. If the connected device could be understood as collecting any information, manufacturers of connected devices sold or offered for sale in California should address IoT law compliance by equipping each of the connected devices with a unique preprogrammed password or the ability to require the user to generate a new password when initially setting up the device, so as to fit within the law’s safe harbor.
The IoT law’s requirements seem to build upon prior laws and regulatory guidance. The law’s “reasonable security features” requirement resembles the “reasonable security” mandate of California Civil Code Section 1798.82.5, and its password requirement is similar to recommendations in the Federal Trade Commission’s 2015 guidance document on IoT, “Careful Connections: Building Security in the Internet of Things.” IoT device manufacturers may be able to limit exposure under the new law by obtaining certification from third-party organizations that have developed standards for security of connected devices, such as Underwriters Laboratory and wireless industry association CTIA. Like the recently enacted California Consumer Privacy Act, it seems certain that the new IoT law will have a national impact—and will likely be viewed as the de facto national standard for the connected device industry.
If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following Morgan Lewis lawyers:
W. Reece Hirsch