2020 California IoT Law Could Raise the Bar for Security
The law, as it’s written, reserves enforcement to the California Attorney General or district attorneys. Private individuals don’t have the right to file lawsuits against manufacturers for not complying. “It’s important, obviously, to comply. But I think the fact there’s not a private right of action means companies don’t need to be as concerned about open season for private consumer lawsuits here in California on this particular law,” Lyon said.
The statute itself also doesn’t specify statutory damages or what the potential penalties would be. “So in practice, there probably would be asserted as a consumer protection claim like under California Business and Professions Code 17200, that allows fines and recoveries of damages and so forth,” Lyon said.
In any event, SB 327 is a trailblazing piece of legislation, representing a continuation of California’s history with its early adoption of cybersecurity-focused legislation, Lyon said. “From what we have seen in the past, California has been the first out in a number of areas [related to] new types of privacy and security laws,” she said.
The fact that California has passed SB 327 will force other U.S. states to consider whether they want something similar. “I wouldn’t be at all surprised to see other state laws to start cropping up around IoT security,” Lyon said.
It is also likely that the legislation will help to nudge upward the degree of cybersecurity for consumers outside of California, as manufacturers of IoT devices will likely find it simpler to comply than to bifurcate their product line for California consumers and for those located elsewhere.
One consideration is that other states and perhaps countries across the world will pass their own versions of the legislation with different provisions. “I think the challenge will be, just as we have seen for breach notification and other types of laws, is every state will have its own take and probably have its own different definitions and different standards,” Lyon said. “And that’s always challenging for companies when you are starting to have to deal with multiple standards.”
In any event, the law is likely a first regulatory step that will lead to progressively increased security of IoT devices over time. “I think that this law, like most of our California privacy data security laws, is going to continue to expand over time,” Lyon said. “Often, these you know, the law gets passed and then over time, the legislature starts adding to it like for a breach notification law. We tend to add to these laws. And I could easily see this law going the same direction.”