Get Smart about California IoT Law, Etc.
Privacy Plus+
Privacy, Technology and Perspective
Get Smart about California IoT Law - This week, we are going to share our thoughts on a more comprehensive approach to privacy and security in the U.S., but begin by considering all of your smart technologies against California’s Internet of Things (IoT) law, codified in California Civil Code §§ 1798.91.04 - 1798.91.06. A link to the statute follows:
https://leginfo.legislature.ca.gov/faces/billCompareClient.xhtml?bill_id=201720180SB327
In short, the law requires manufacturers of connected devices — essentially, IoT devices — to equip those devices with “reasonable” security features that are appropriate to the nature and function of the device, appropriate to the information the device collects, and designed to prevent unauthorized access.
Details follow:
WHO IS COVERED:
The California IoT law applies to “manufacturers” of “connected devices” sold or offered for sale in California. The term “manufacturer” is defined as “any person who manufactures, or contracts with another person to manufacture on the person’s behalf, connected devices that are sold or offered for sale in California.” See Cal. Civ. Code § 1798.91.05(c). A “connected device” is defined as any device capable of connecting to the Internet, directly or indirectly, and that is assigned an IP address or Bluetooth address. See id. at § 1798.91.05(b).
This is a broad definition that could include everything from sensors to actuators, wearable technology, vehicles, security cameras, home appliances and assistants, and network devices. Accordingly, the law cuts across a broad swath of manufacturers.
WHAT IS REQUIRED – “REASONABLE SECURITY FEATURES”:
The California IoT law requires covered manufacturers of to equip all connected devices with “a reasonable security feature or features” that are all of the following:
(1) Appropriate to the nature and function of the device.
(2) Appropriate to the information it may collect, contain, or transmit.
(3) Designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.
See Cal. Civ. Code § 1798.91.04(a). The statute deems certain security features reasonable, including having a unique, preprogrammed password or a feature that requires a user to generate a new password before accessing the devices. See id. § 1798.91.04(b).
While the law is vague regarding reasonable security features beyond password management, manufacturers should note that the California Attorney General’s Office’s 2016 guidance, recommending the Center for Internet Security’s “Critical Security Controls” for Effective Cyber Defense as a standard for security controls. A link to the Attorney General’s 2016 guidance follows:
https://oag.ca.gov/sites/all/files/agweb/pdfs/dbr/2016-data-breach-report.pdf
In addition, the following is a link to the 20 CIS Critical Security Controls:
https://www.cisecurity.org/controls/cis-controls-list/
Notably, the California IoT law exempts certain entities which are already subject to HIPAA and the California Confidentiality of Medical Information Act. The statute does not require third-party software or applications providers (§1798.91.06(a)) or marketplaces or stores that may sell connected devices (§1798.91.06(b)) to review connected devices for compliance or enforce compliance. The law also prohibits private rights of action. See Cal. Civ. Code § 1798.91.06(e). Only the California Attorney General, a city attorney, a county counsel, or a district attorney has authority to enforce the statute. Id.
WHERE DOES THE LAW APPLY:
If your business qualifies as a “manufacturer” (see Who is Covered section, above) that sells or offers to sell “connected devices” in California, your business is covered under the California IoT law. See Cal. Civ. Code § 1798.91.05(c). It does not matter whether your business has a physical presence in California or not.
WHEN:
The California IoT law became operative on January 1, 2020. See Cal. Civ. Code § 1798.91.06(i).
WHY:
As acknowledged in the 2016 guidance referenced above, “[t]echnology such as smartphones, the ‘internet of things,’ wearable devices, and big data are transforming our lives at a rapid pace, while exponentially increasing the amount of personal information that is collected, used, and shared. At the same time, with data becoming more ubiquitous and valuable, the black market for stolen information also continues to expand, increasing the likelihood of hacking by cyber criminals.”
IoT botnets have long been seen as able to cause mayhem. As an example, we’ll refer you to this 2012 New York Times article about Microsoft’s efforts to defeat botnets, which involved legal maneuvers designed to seize zombie computers – the devices that make up a botnet are often described as “zombies” because they are usually taken over without the knowledge of their owners:
https://www.nytimes.com/2012/03/26/technology/microsoft-raids-tackle-online-crime.html
And just this week, as the scale of botnets keeps growing because of the number of devices connected to the Internet, Wired magazine published an article entitled: “Hackers Could Use IoT Botnets to Manipulate Energy Markets.” A link to that Wired article follows:
https://www.wired.com/story/hackers-iot-botnets-manipulate-energy-markets/
What is clear is that the growth rate of IoT “connected devices” has expanded the threat landscape that we all are facing.
OUR THOUGHTS:
Take a moment to consider step 1 of the 20 CIS Controls by inventorying the IoT hardware that you have: Start with your car, and imagine it being turned into a zombie. Now, try to stop shivering long enough to consider the connected devices you may already have in your home: Alexa, your laptop, smartphone and earbuds, your Nest cameras and thermostat, your Ring doorbell cam, your smart scale and fitness tracker, your Amazon dash button, your smart security system, smoke alarm, door locks, and lights, your smart bike, your headphones, your smart television, remote control and refrigerator, and basically anything else that you have connected to your WiFi or that uses Bluetooth technology.
After that, start inventorying the connected devices that your children may have.
If this causes you to start thinking of getting better security features for your devices, we expect you’re a step ahead of many manufacturers covered by the California IoT law. We hope others will awake to the issue soon. Of course, seeing some meaningful enforcement might help with that. But what enforcement of California’s IoT law will look like, including any penalties, remains anyone’s guess.
Meanwhile, the news focus, at least this week, seems to be on foreign states—we’re thinking of President Trump’s executive order targeting speech and social media apps owned by Chinese companies. A link to that executive order follows:
Original link: https://www.whitehouse.gov/presidential-actions/executive-order-addressing-threat-posed-tiktok/
Updated here: https://trumpwhitehouse.archives.gov/presidential-actions/executive-order-addressing-threat-posed-tiktok/
Threats from abroad are serious and getting worse. It seems to us that security and privacy risks from home and abroad must be prioritized, which will require closer attention to securing technologies, including applications, IoT devices and cloud storage.
Better IoT security controls – including where, how and for how long the data ultimately is stored, and how it is secured and used while stored – are essential. We see no reason why “reasonable” security features could not be required along with transparency in and around data flows, encryption for data at rest, limited data retention, and limits on the use Americans' personal and proprietary information. Adoption of many principles of the GDPR would be a good start, not only to settle down some of the turbulence between us and many of our closest allies, but for strengthening all Western democracies – not least of which our own.
---
Hosch & Morris, PLLC is a Dallas-based boutique law firm dedicated to data protection, privacy, the Internet and technology. Open the Future℠.