What is the California IoT Connected Devices Law?

In September of 2018, California became the first state to pass a law requiring manufacturers to secure connected devices. The bill, TITLE 1.81.26. Security of Connected Devices, is the first of its kind for Internet of Things (IoT) devices and today we will explore some of the finer details of the law which comes into effect January 1st, 2020. This statute was passed right on the heels of the California Consumer Privacy Act and aims to ensure the security of California residents.

What is in scope?

The law defines a connected device as the following:

Any device, or other physical object that is capable of connecting to the Internet, directly or indirectly, and that is assigned an Internet Protocol address or Bluetooth address.

The current intent of the law does not appear to apply to devices that were not originally intended for sale in California and merely resold there, and does not impose similar burdens directly on software providers or app stores. 

What is required from a security standpoint?

The law currently states that devices must be equipped with “reasonable security”:

A manufacturer of a connected device shall equip the device with a reasonable security feature or features….

Further, the law goes on to describe reasonable security as containing the following:

  1. Appropriate to the nature and function of the device.
  2. Appropriate to the information it may collect, contain, or transmit.
  3. Designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.

Additionally, the law goes on to state: Subject to all of the requirements of subdivision (a), if a connected device is equipped with a means for authentication outside a local area network, it shall be deemed a reasonable security feature under subdivision (a) if either of the following requirements are met:

  1. The pre-programmed password is unique to each device manufactured.
  2. The device contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time.

What are the ramifications of not having reasonable security?

Unfortunately, the legislation does not define the exact implications for failing to meet the requirements or for suffering a breach, as it does in the CCPA. Time will tell what sorts of actions are taken against a manufacturer that fails to meet the requirements, however, you probably don’t want to be the first to find out!

What should be done today?

First and foremost, you should evaluate the security of the devices being manufactured against the items laid out as “reasonable security” within the law itself. This can be difficult to assess given that the verbiage is so generic, so it would probably be a good idea to base your assessment of security on some kind of best practice standard, so you can do your due diligence and avoid any questions of whether your device security is reasonable. Having a third-party come in and perform a best practice gap analysis is a good way to accomplish this goals and remove some of the ambiguity of a self-assessment, or if you’re unsure about what constitutes a reasonable level of security. Additionally, you may want to consider a more technical assessment of the devices you are manufacturing as well. A penetration test of the connected devices you’re manufacturing can further prove due diligence and better test the actual applied security of a device. If you’re interested in learning more about how we can help, feel free to contact us today and we would be happy to discuss further!