California SB-327: The Security of Connected Devices
In September 2019,?California signed Senate Bill 327,nbsp;also known as the California Internet of Things (IoT) Security Law. While not an extensively written piece of legislation like the?California Consumer Privacy Act (CCPA),nbsp;SB-327 took effect on January 1, 2020, and focuses on manufacturers of connected devices—requiring updated security standards that protect both devices and end-users.
Key Provisions
The two main provisions of SB-327 explain that manufacturers must equip devices with reasonable security features and unique passwords or security measures.
?
Reasonable Security Features:?These requirements protect the device and prevent unauthorized access to information it collects, stores, or transmits. Some reasonable security features include data encryption, secure APIs, and regular software updates or patches. They are unique to the use case or function of the device. Most medical device providers already utilize these security requirements to prioritize data privacy in healthcare.
Unique Passwords and Security Measures:?Connected devices outside local area networks must be assigned a unique preprogrammed password or require new users to create a new password before first-time access to an IoT device.
Rationale
There are a variety of reasons why California adopted SB-237. One of the major ones is the rapid increase in IoT devices over the last decade. These devices constantly collect, use, and store data at home, work, or in public spaces. This creates an increased risk for potential misuse or authorized data access.
Many IoT devices manufactured in the last decade lack strong security measures. Devices have been shipped with default passwords, creating security issues and vulnerabilities, making them an easy target for hackers. The number of high-profile security breaches involving IoT devices showcases how easy it is to access protected data—posing a risk to personal privacy and potential financial damage. One example is the devastating Mirai botnet in 2016, which compromised over 100,000 devices that used a default username and password.
Finally, SB-327 encourages manufacturers of IoT devices to prioritize cybersecurity when designing and producing their devices. This type of responsible manufacturing provides additional security for end-users, protecting data and preventing breaches.
?
领英推荐
IoT Devices Defined
An IoT device, or “connected device,” is defined by this law as any device, sensor, or other object capable of connecting to the internet. This includes direct or indirect internet connections with an I.P. address or Bluetooth address.
?
Examples of IoT devices include innovative home accessories like smart thermostats or intelligent home security systems. Because these devices connect via wifi to the Internet and sync data to the cloud, they fall under the umbrella of “Internet of Things” devices. Another example is wearable health devices, like Fitbit wristbands or Apple watches, that monitor and sync your health data to the cloud.
Who Must Comply with SB-327?
The main parties required to comply with SB-327 are IoT device manufacturers that sell in California. This includes the device manufacturer and other contracted businesses or individuals. Companies that design and produce devices and brands that sell white-label IoT devices are also required to comply with SB-327.
?
SB-327 does not apply to any third party that connects to or offers services that use IoT devices since they are not manufacturers. Additionally, suppose a party only provides a platform for selling IoT devices, like electronic stores or online marketplaces, and has no control over the connected devices. In that case, this law does not apply to them.
?
Penalties for Non-Compliance
SB-327 does not list specific penalties for non-compliance in the bill’s text. Instead, the law empowers attorneys, ranging from California’s Attorney General to local district attorneys, to enforce the provisions of SB-237. This can lead to penalties, although those penalties will depend on the specific nature of the case, the violation, and whether the violation caused any harm.
?
Additionally, the law does not provide a private right of action for end-users. This means that an individual consumer or a business cannot sue an IoT manufacturer directly for not complying with SB-327.