On January 1, 2020, California’s new Internet of Things (IoT) Security Law goes into effect. The new law, which requires that all IoT devices sold in California be equipped with reasonable security features, is the first IoT-specific security law in the United States.
Under the new law, manufacturers of “connected devices” that sell their products in California (Manufacturers) are required to incorporate “reasonable security features” into their devices. Canadian and other foreign manufacturers may be captured by this definition.
A connected device is defined to mean any device, or other physical object that is capable of connecting to the Internet, directly or indirectly, and that is assigned an Internet Protocol address or Bluetooth address. This broad definition captures a wide range of equipment such as connected vehicles, toys, wearables and smart appliances.
The law also requires that the connected device be equipped with “reasonable security features.” These features must be:
The law offers some guidance to reduce ambiguity. For instance, if the device is subject to authentication outside a local area network, then the law clarifies that “reasonable security” means the device should contain a unique preprogrammed password or require a user to generate a new means of authentication prior to initial access being granted. However, beyond authentication, the law still mandates undefined “reasonable security features” leaving Manufacturers to look elsewhere for guidance.
Summary By: Jae Morris
Disclaimer: This Newsletter is intended to provide readers with general information on legal developments in the areas of e-commerce, information technology and intellectual property. It is not intended to be a complete statement of the law, nor is it intended to provide legal advice. No person should act or rely upon the information contained in this newsletter without seeking legal advice.
E-TIPS is a registered trade-mark of Deeth Williams Wall LLP.