On January 1, 2020, California’s new Internet of Things (IoT) Security Law goes into effect. The law is the first IoT-specific security law in the United States and, simply put, requires all IoT devices sold in California to be equipped with reasonable security measures.
There has been a significant amount of discussion regarding exactly what types of devices are covered by the new regulations and what “reasonable security measures” entail.
Who is covered?
Any “manufacturers” of connected devices that sell their products in California will be required to incorporate reasonable security features into their devices. It does not matter where the product is made. It is also important to note that “manufacturers” include not only those companies that perform the manufacturing themselves, but also companies that “contract with” others to manufacture devices on their behalf. The law does contain several exclusions, including security vulnerabilities caused by user installation of third-party software and devices already regulated by certain healthcare statutes. However, since the interconnectivity of third-party software may be the source of a security breach, the question arises whether to consider how a covered device interacts with such third-party software.
How far does the law reach?
A “connected device” is defined quite broadly. Under the definition, a connected device is any device or “other physical object” that is capable of connecting to the internet (even by being paired with another device) and assigned an IP or Bluetooth address.
This definition potentially captures a whole range of equipment, including:
The law requires that the connected device be equipped with “reasonable security features” appropriate to the nature and function of the device and the information it may collect or transmit, and designed to protect the device and any information within from unauthorized access, destruction, use, modification or disclosure. Recognizing the indefinite standards within the statute, the law offers some flexibility to avoid some ambiguity. If the device is subject to authentication outside a local area network, then the law clarifies that “reasonable security” means the device should contain a unique preprogrammed password or require a user to generate a new means of authentication prior to initial access being granted. This specificity goes beyond the guidance provided in prior FTC enforcement actions, which have recognized vulnerabilities posed by default settings without deeming reasonable any specific approach to initial password management.
But note that this guidance relates to only the authentication aspect of the device. The rest of the requirements in the law still mandate undefined reasonable security features beyond just authentication.
Fortunately, on February 26, 2016, the California Department of Justice (CDOJ) released the California Data Breach Report (Breach Report), which provided analyses of approximately 657 data breaches reported to the CDOJ between 2012 and 2015. The Breach Report defines compliance with the 20 security controls promulgated in the CIS Critical Security Controls for Effective Cyber Defense as the “floor” for “reasonable” cybersecurity and data protection. The Breach Report identifies data security standards published by the National Institute of Standards and Technology in Special Publication 800-53, and standard ISO/IEC 27002:2013, published by the International Organization for Standardization as “foundational.” According to the CDOJ, the 20 security controls identified by CIS “constitutes a minimum level of security – a floor – that any organization that collects or maintains personal information should meet.”
The controls can be broken down into a set of policies and actions:
Inventory, track and secure all connections and software, including all hardware and personal devices that connect to your company’s network, and ensure that software and browsers are not vulnerable to attacks whereby malware and backdoor programs can be installed in your company’s system.
Manage and control configurations for operating systems and applications. Default configurations are intended for ease of deployment and use, not for security.
Control users by establishing and securing administrative privileges, and establishing access to network areas on a need-to-know basis.
Update continuously with software updates and security patches, and monitor for security advisories and threat bulletins. Understanding and managing system vulnerabilities has become a continuous activity, requiring significant time and attention.
Protect key assets with proper tools and procedures. A company should ensure that its web browsers are updated in order to protect itself against malware, and that appropriate processes are undertaken for backing up critical data and allowing its timely recovery. Without access to trustworthy data recovery capability, it may be difficult to remove all aspects of a hacker’s presence in the company’s network. A company should also undertake procedures to protect its data through use of encryption, integrity protection and data loss prevention (DLP techniques.
Implement defenses against malware and boundary intrusions with automated and rapid software updating at points of possible attacks, and adopt multilayered boundary defenses by relying on firewalls, DMZ perimeter networks and proxies. Block access to vulnerable entry points through use of port scanning tools, by limiting and controlling wireless access and entry ports, and by managing the security life of software as vulnerabilities are discovered and disclosed.
Train staff by providing security training to employees and vendors who have access to your company’s network and data. Monitor activity on network accounts and review network audit logs to prevent hackers from being able to hide the presence of malware and their activities on compromised devices; close inactive accounts.
Test and prepare by creating a cybersecurity incident response plan, assembling a response team, and running exercises to test your company’s security and ability to respond quickly to a data breach or other cyberattack.
Who can enforce the law?
Private parties do not have the authority to sue under the California law; rather, the law delegates enforcement exclusively to the California Attorney General, city attorneys, county counsels and district attorneys. The law also does not specify what types of penalties officials can seek for violations, what the maximum penalties are or whether officials must prove that actual harm to consumers has occurred before seeking penalties.