For many companies, January 1, 2020 became synonymous with the operative date of the California Consumer Privacy Act. However, manufacturers of Internet-connected devices must also keep in mind legislation that was signed into law on September 28, 2018 and became operative on January 1, 2020. This new law (2018 Cal. Legis. Serv. Ch. 886 (S.B. 327) (to be codified at Cal. Civ. Code § 1798.91.04(a)) (“IoT Law”) makes California the first state to specifically regulate the security of connected devices, which are commonly referred to as internet of things (IoT) devices.
What does the IoT regulate?
According to California legislative record, the purpose of the IoT Law is to ensure that IoT devices are equipped with reasonable security measures to protect them from unauthorized access, use, destruction, disclosure, or modification by hackers. The IoT Law regulates the security of IoT devices, as well as any information contained on these devices. The term “connected device” is broadly defined as “any device, or other physical object that is capable of connecting to the Internet, directly or indirectly, and that is assigned an Internet Protocol address or Bluetooth address.” This broad definition captures a whole range of ‘traditional’ IoT devices, including printers and televisions, and also less conventional products. Importantly, the IoT Law does not apply to devices that are regulated by US federal law (e.g., medical devices regulated by the FDA and vehicles regulated by NHTSA).
What companies does the IoT Law apply to?
The IoT Law has broad reach and applies to all manufacturers that sell IoT devices in California, regardless of where the devices are actually made, as well as those companies that contract with others to manufacture IoT devices on their behalf (i.e., companies that outsource their manufacturing operations). The IoT Law does not impose additional obligations on manufacturers with respect to third-party software or applications that are added onto the device by individual users.
What are the requirements of the IoT Law?
At a high-level, the IoT law requires reasonable security features for IoT devices, which must be:
| (i) | appropriate to the nature and function of the device; |
| (ii) | appropriate to the information the device may collect, contain, or transmit; and |
| (iii) | designed to protect the device and any information contained on the device from unauthorized access, destruction, use, modification, or disclosure. |
Although the law itself does not provide insight into what “reasonable security features” might mean, it does contain a specific provision for devices that can be accessed outside a local network. For these types of devices, having (i) a unique password for each manufactured device; and (ii) a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time is considered “reasonable security.”
How will be IoT Law be enforced?
The IoT Law will be enforced only by the California Attorney General, and does not confer a private right of action for private plaintiffs. But, private plaintiffs might nevertheless attempt to refer to the new law when they pursue other causes of action, for example, to show breach of a duty for purposes of asserting negligence.
What must manufacturers do to comply with the IoT Law?
Companies should review the types of information their IoT devices are meant to collect, as well as the types of information the IoT devices could collect. The legislative history of the IoT Law is telling in this respect, because it repeatedly references traditional household objects, such as microwaves, refrigerators and children’s toys, which have the capacity to collect more information than that necessary to fulfill their purposes.The legislators focused on one particular example, that of a ‘smart doll’ equipped with Bluetooth technology, which allowed the doll to communicate with children. The doll could prompt the children to provide all manners of information, including the name of their school or their address. At the same time, security vulnerabilities allowed hackers access to this information, as well as the ability to program the dolls from up to 50 feet away, including to speak to children in the privacy of their own homes.
Devices that could be seen as collecting sensitive information (e.g., smart toys, baby monitors, and other household devices) should be scrutinized with particular care in light of their potentially expansive functionalities, as well as the potential for connectivity to a larger network. On this point, California legislators referenced the ability of malware to propagate across networks of IoT devices, with users doing nothing more than actually turning on their devices. For IoT devices currently configured to be a part of such interconnected networks, manufacturers will have to consider the implications of this type of interconnectivity, particularly with an eye toward the potential spreading of a virus, ransomware, or any other type of malware.
Companies should also test the safety of IoT devices, including the manner and the ease with which these IoT devices could be compromised by unauthorized parties. When introducing the IoT Law for consideration, California legislators expressed concern about the ability of hackers to exploit vulnerabilities within IoT devices in order to cause harm. Specifically, they referenced the case of a researcher who was able to hack his own insulin pump, allowing him to control the amount and frequency with which insulin was delivered, and therefore demonstrating “how a lethal dose could be triggered remotely by an attacker.”
Lastly, manufacturers should address identified security vulnerabilities in their IoT devices, and implement additional security features to address these vulnerabilities. Since the standard established by the IoT Law is one of reasonableness, in the event of a data security incident, companies will benefit from showing such reasonable efforts toward creating safer, more secure IoT devices.
