California’s New IoT Security Law

On January 1, 2020, California’s new Internet of Things (IoT) Security Law goes into effect. The new law, which requires that all IoT devices sold in California be equipped with reasonable security features, is the first IoT-specific security law in the United States.

Under the new law, manufacturers of “connected devices” that sell their products in California (Manufacturers) are required to incorporate “reasonable security features” into their devices.  Canadian and other foreign manufacturers may be captured by this definition.

A connected device is defined to mean any device, or other physical object that is capable of connecting to the Internet, directly or indirectly, and that is assigned an Internet Protocol address or Bluetooth address. This broad definition captures a wide range of equipment such as connected vehicles, toys, wearables and smart appliances.

The law also requires that the connected device be equipped with “reasonable security features.” These features must be:

• appropriate to the nature and function of the device;
• appropriate to the information the device may collect or transmit; and
• designed to protect the device and any information stored within from unauthorized access, destruction, use, modification or disclosure.

The law offers some guidance to reduce ambiguity. For instance, if the device is subject to authentication outside a local area network, then the law clarifies that “reasonable security” means the device should contain a unique preprogrammed password or require a user to generate a new means of authentication prior to initial access being granted. However, beyond authentication, the law still mandates undefined “reasonable security features” leaving Manufacturers to look elsewhere for guidance. 

Summary By: Jae Morris