2020 California IoT Law Could Raise the Bar for Security2020 California IoT Law Could Raise the Bar for Security
The IoT law slated to go into effect in 2020 could help create more consistent security practices across the Internet of Things landscape.
December 20, 2018
Security has become the shadow side of the Internet of Things. That’s especially been the case following the October 2016 Mirai botnet attack against the DNS provider Dyn, which resulted in scores of prominent websites suffering connectivity problems. Before the attack, it was hard to imagine that scores of connected devices such as IP cameras, routers and TV modems could cause such chaos.
There have been calls to regulate IoT devices, but to date, little relevant legislation has been passed. And since manufacturers have little incentive to spend the extra money to offer a reasonable level of security in their products, the same type of unsecured IoT devices that enabled the Mirai botnet are still commonplace now.
The situation could change following the passage of the California law SB 327, which demands connected devices have “reasonable security.” The law is slated to take effect in January 2020. “There is a larger theme or trend going on here in California, where we’re looking at privacy and security issues in a broader way than in the past,” said Christine E. Lyon, a partner at Morrison Foerster. Traditionally, most states have data security and privacy laws focused on specific types of high-risk data such as medical information, credit card numbers, financial account information, social security numbers and so forth. The IoT-focused security bill SB 327, as well as the California Consumer Privacy Act of 2018, break precedent in their broad approach. “For me, one of the interesting aspects of this IoT security law is it doesn’t refer to personal information at all,” Lyon said. It also doesn’t single out consumer devices. Instead, the law essentially says: “If a device is connected to the internet or capable of being connected — if it has an IP, Bluetooth address or equivalent, then you have to have security,” Lyon summarized. One of the law’s narrower provisions is that it forbids the use of default passwords, which, incidentally, was the shoddy security practice that enabled the Mirai botnet attack against Dyn.
The law’s broad approach has won both praise and condemnation from pundits. As for the latter, Robert Graham from Errata Security describes the legislation as a “typically bad bill based on a superficial understanding of cybersecurity,” while security guru Bruce Schneier wrote: “This law is not a panacea. But we have to start somewhere, and it is a start.”
The law, as it’s written, reserves enforcement to the California Attorney General or district attorneys. Private individuals don’t have the right to file lawsuits against manufacturers for not complying. “It’s important, obviously, to comply. But I think the fact there’s not a private right of action means companies don’t need to be as concerned about open season for private consumer lawsuits here in California on this particular law,” Lyon said.
The statute itself also doesn’t specify statutory damages or what the potential penalties would be. “So in practice, there probably would be asserted as a consumer protection claim like under California Business and Professions Code 17200, that allows fines and recoveries of damages and so forth,” Lyon said.
In any event, SB 327 is a trailblazing piece of legislation, representing a continuation of California’s history with its early adoption of cybersecurity-focused legislation, Lyon said. “From what we have seen in the past, California has been the first out in a number of areas [related to] new types of privacy and security laws,” she said.
The fact that California has passed SB 327 will force other U.S. states to consider whether they want something similar. “I wouldn’t be at all surprised to see other state laws to start cropping up around IoT security,” Lyon said.
It is also likely that the legislation will help to nudge upward the degree of cybersecurity for consumers outside of California, as manufacturers of IoT devices will likely find it simpler to comply than to bifurcate their product line for California consumers and for those located elsewhere.
One consideration is that other states and perhaps countries across the world will pass their own versions of the legislation with different provisions. “I think the challenge will be, just as we have seen for breach notification and other types of laws, is every state will have its own take and probably have its own different definitions and different standards,” Lyon said. “And that’s always challenging for companies when you are starting to have to deal with multiple standards.”
In any event, the law is likely a first regulatory step that will lead to progressively increased security of IoT devices over time. “I think that this law, like most of our California privacy data security laws, is going to continue to expand over time,” Lyon said. “Often, these you know, the law gets passed and then over time, the legislature starts adding to it like for a breach notification law. We tend to add to these laws. And I could easily see this law going the same direction.”
About the Author(s)
You May Also Like