On January 1, 2020, California’s landmark new Internet of Things (IoT) security law[i] took effect. The first of its kind in the United States, this law attempts to address growing concerns about protecting the security of everyday objects that connect to the Internet (otherwise known as the “Internet of Things”). As the number of Internet-connected devices expands seemingly endlessly, ranging across refrigerators, doorbells, alarm clocks, cars, vacuums, and so on, commentators have raised concerns about the security of these devices. In the U.S., California has taken the first step to address this concern legislatively, followed by Oregon, but it seems other states may not be far behind.
Who and what is covered?
The new California IoT security law applies to anyone who manufactures, or contracts with others to manufacture on its behalf, connected devices that are sold or offered for sale in California.[ii] The California law defines “connected device” as “any device, or other physical object that is capable of connecting to the Internet, directly or indirectly, and that is assigned an Internet Protocol address or Bluetooth address.”[iii]
Notably, this California law is not limited to consumer devices. The definition of “connected device” appears broad enough to cover even devices intended for industrial or other B2B purposes. This breadth appears to be intentional, as earlier drafts of the legislation would have limited the law to devices sold to consumers. Oregon’s IoT law, which was modeled after California’s and also came into effect in January, diverges in this respect, as it limits its definition of “connected devices” to devices that are “used primarily for personal, family or household purposes.”[iv]
It is also important to keep in mind that these California and Oregon laws are not limited to devices that collect or process personal information. Rather, their obligations apply broadly to any such devices that connect to the Internet, regardless of what kinds of information they may process.
Both of these laws exclude providers of electronic stores, marketplaces, or other means for purchasing or downloading software.[v] They also provide limited exceptions for entities regulated by the Health Insurance Portability and Accountability Act (HIPAA), with respect to activity regulated by HIPAA.[vi] Oregon’s law also has an exception for activity regulated by the Food and Drug Administration with respect to medical devices.[vii]
What is required?
Both California and Oregon laws require that connected devices be equipped with “reasonable security features.”[viii] According to both, the “reasonable security features” should be appropriate for the nature and function of the device; appropriate for the information the device collects, contains, or transmits; and designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.[ix] Both states specify that a reasonable security feature may consist of a means for authentication from outside a local area network that has the following features: the preprogrammed password is unique to each device manufactured, or the device contains a security feature that requires a user to create a new means of authentication before accessing it for the first time.[x] Beyond this, neither provide clear guidance as to what else could constitute a “reasonable security feature.”
What is next?
Other states have been actively considering similar laws, including bills proposed in New York, and Virginia. Although California’s Consumer Privacy Act (CCPA) has absorbed the attention of many businesses, it will be important for covered manufacturers to pay sufficient attention to this separate trend of expanding IoT security laws as well.