The law states that it is considered an appropriate security feature if one of the following requirements is met: (2) The device contains a security feature that requires use to generate a new means of authentication before the device is allowed to access it for the first time. In conjunction with the California Consumer Privacy Act (CCPA), the law will impose new responsibilities and restrictions on businesses when it comes to data privacy and security. In March, U.S. lawmakers introduced a bipartisan bill in Congress that would require IoT makers who sell devices to the government to follow guidelines created by the National Institute of Standards and Technology. The bill, known as the Internet of Things Cybersecurity Improvement Act of 2019, is the third time federal legislation has been introduced to require security measures from manufacturers of connected devices. A bill to regulate IoT security has been introduced annually in Congress since 2017. California law isn`t the only legislation aimed at the security of connected devices. With 25 billion devices expected to be part of the global IoT landscape, lawmakers are subjecting IoT manufacturers to increasing scrutiny. Deb advises clients and focuses his practice on privacy and security, cybersecurity, and compliance with related state and federal laws. She also has experience in civil litigation and labour law consulting.
She has extensive experience advising and advising on legal matters related to recruitment agencies, including Medicaid, as well as drafting and reviewing contracts, business partnership agreements, and data use agreements. California has another privacy law that went into effect on January 1, 2020, and it`s not the California Consumer Privacy Act (CCPA). This data protection law regulates devices connected to the Internet of Things (IoT). SB 327 entered into force in 2018 and entered into force on 1 January 2020. California`s IoT law requires manufacturers of connected devices to equip the device with one or more appropriate security features which are all of the following: The way the law is written to ensure devices follow these guidelines may be enough, says Christine Lyon, a partner in Morrison & Foerster`s privacy practice. “The law is only specific to authentication,” she says. “That sounds like enough, but I suspect that over time we will see more specificity in terms of the required security features.” California joins Oregon as one of two states that require adequate security features for IoT devices. For more information on Oregon`s IoT law, check out our previous blog post here. Both laws mean that manufacturers must incorporate these security measures into networked devices. In practice, these security features mean that IoT devices are less vulnerable to attack because they no longer work with the default “generic” password set by a manufacturer.
Deborah George is a member of the firm`s Commercial Litigation Group and the Data Privacy + Cybersecurity team. California`s law, Senate Bill 327, was approved by the governor a year ago and requires that all connected devices sold in the state — regardless of where they are manufactured — include “one or more appropriate security features” that adequately protect the product user and user data from access, unauthorized modification or disclosure. The law states that individual hard-coded passwords are not allowed and that each device must have a unique passcode or that the user must generate a new password before using the device for the first time. Companies that make connected devices — from internet routers to connected thermostats to home security cameras — need to prepare for the enforcement of California`s Internet of Things (IoT) Security Act, which will go into effect on Jan. 1, 2020, lawyers said this week. Another lawyer argues that establishing a strong authentication mechanism is only one of the required features. A 2016 California breach report that called the Center for Internet Security`s critical security controls for effective cyber defense “ground” for adequate security is suggested by dan Pepper, a privacy and confidentiality partner at law firm BakerHostetler. While the security required by law may seem like a small step, the number of devices affected by the legislation is quite large, according to lawyers. The text of the legislation doesn`t specify the types of devices, but the law likely applies to a long list of hardware that falls under the term “connected device,” including products such as printers and security cameras, smart light bulbs and Apple Watches, Pepper says. depending on the information that the device may collect, contain or transmit; and California law does not specifically require retailers and sellers of equipment to ensure compliance with the law.
The law also appears to prevent the rule from being used as an anti-DIY reason, and states that the laws do not require features that “prevent a user from having full control over a connected device, including the ability to modify the software or firmware running on the device at the user`s discretion.” In addition, law enforcement reserves the right to collect device information from the manufacturer. So, which manufacturers need to comply with this new law and what counts as a networked device? “Because the requirements of the law are not onerous and it takes a long time to develop a special version of the products only for the California market, companies are likely to implement these changes for all their products,” she says. (1) The pre-programmed password is unique for each device manufactured; or because California law applies to all devices sold to consumers in the state — and because making too many product variants is too expensive — the impact of the law will likely be national, says Morrison & Foerster`s Lyon. The confusion has led many companies to measure whether there is a risk to them under the law and wait for further advice, lawyers say. The law does not give consumers the right to private action. Only the government can investigate or punish companies under the law, which is another consideration for companies when assessing their risk. appropriate to the nature and function of the product; “The law gives companies flexibility,” he says. “But if you`re just doing the authentication step and you`re not doing anything with updates or patches, encryption, or third-party components, then you`re not doing it. This authentication piece is just a concrete example. A connected device means any device or other physical object capable of connecting directly or indirectly to the Internet and assigned an Internet Protocol address or a Bluetooth address.
Smartphones, watches, speakers, portable devices, TVs, thermostats, doorbells – the list is almost endless – are examples of connected devices. The question is whether a simple authentication patch is enough for most devices or whether companies need to comply with a stricter standard. “A number of different types of devices are affected,” he says. designed to protect the device and all information contained therein from unauthorized access, destruction, use, modification or disclosure. “The adoption of the CCPA will be a turning point for privacy not only in California but also in the United States,” Attila Tomaschek, a privacy lawyer at ProPrivacy.com, said in a statement. “Given that all applicable businesses across the country and around the world serving consumers in California will be required to comply with the law, businesses at all levels will likely prepare for compliance. A manufacturer is defined as the person who manufactures connected equipment sold or offered for sale in California or who enters into a contract with another person to manufacture on behalf of the person. It seems pretty clear, if you`re making a connected device sold or offered for sale in California, California IoT law applies.