Every January, electronics manufacturers descend upon Las Vegas for the annual Consumer Electronics Show (CES) to showcase their latest and greatest forays in devices. Not surprisingly, there was no shortage of shiny fresh connected devices with new and evolving applications in everything from workouts and personal care to the more usual suspects of television and virtual assistants. With Internet of Things (IoT) becoming more ubiquitous, it was only a matter of time before legislation followed. On September 28, 2018, California enacted the United States’ first IoT law, set to go into effect January 1, 2020, just in time for next year’s CES.
California’s new IoT law is aimed at the security of “connected devices,” defined to include “any device, or other physical object that is capable of connecting to the Internet directly or indirectly, and that is assigned an Internet Protocol address or Bluetooth address.”[1] This broad definition largely captures the world of IoT devices with the exception of those devices, entities, or persons subject to the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) or Confidentiality of Medical Information Act (Cal. Civ. Code § 56.10) or those devices otherwise “subject to security requirements under federal law, regulations or guidance.”[2] The law aims to make cybersecurity a greater focus at the design stage requiring manufacturers to equip devices with “reasonable security” features that are
- appropriate to the nature and function of the device;
- appropriate to the information the device may collect, contain, or transmit; and
- designed to protect the device and any information it may collect, contain, or transmit.[3]
The use of vague terms such as “reasonable” and “appropriate” will undoubtedly leave connected device manufacturers with more questions than answers. While the law may provide some coverage for devices “equipped with a means for authentication outside a local area network” with either a preprogrammed password or first-time user generated authentication, the guidance remains subject to the reasonable security feature considerations earlier promulgated by the code, which raises the question of whether there are circumstances where these security features will not be considered “reasonable” or “appropriate” for certain devices or information collected.[4]
It remains unclear whether California is looking for manufacturers to implement sweeping comprehensive security programs or rather will focus on individual security feature considerations. At a minimum, IoT manufacturers would be well served to examine their design processes and evaluate when and how cybersecurity is considered in the overall design and function of their connected devices in light of this new law. Some considerations when designing a connected device and evaluating which security features to utilize may include:
- What is the purpose of the device? How will the manufacturer market use of the device? How might consumers actually use the device?
- What categories of information is the device intended to collect, store, or transmit? What categories of information may a user choose to submit to the device for storage or transmission? How sensitive is the information?
Manufacturers can breathe a sigh of relief that the new law does not provide for a private right of action and, therefore, can avoid costly potential class action suits on the matter. However, there are still plenty of opportunities for manufacturers to face legal scrutiny as California’s attorney general, along with many city and district attorneys and county counsel, can bring suit under this law.[5]