Companies that make connected devices — from Internet routers to connected thermostats to home-monitoring cameras — need to start preparing for the enforcement of California's Internet of Things (IoT) security law, which goes into effect on January 1, 2020, attorneys said this week.
The question is whether a simple authentication fix is enough for most devices or whether companies need to adhere to a more rigorous standard.
The California law, Senate Bill 327, was approved by the governor a year ago and requires that all connected devices sold in the state— no matter where they are made — incorporate "a reasonable security feature or features" that appropriately protect the user of the product and the user's data from unauthorized access, modification, or disclosure. The law specifies that single hard-coded passwords are not allowed, and each device must either have a unique passcode or require the user to generate a new passcode before using the device for the first time.
The way the law is written, ensuring devices follow that guidance may be enough, says Christine Lyon, partner in the privacy practice of Morrison & Foerster. "The law is only specific to authentication," she says. "That seems sufficient, but what I suspect will happen over time is that we will see more specificity around the required security features."
Yet another attorney argues that establishing a strong authentication mechanism is only one of the required features. Guidance of what constitutes "reasonable security" is hinted at by a 2016 California breach report, which labeled the Center for Internet Security's Critical Security Controls for Effective Cyber Defense as the "floor" for adequate security, says Dan Pepper, a privacy and data protection partner at the law firm BakerHostetler.
"The law is offering companies flexibility," he says. "But if all you are doing is taking the authentication step and you are not doing anything with updates or patches, encryption, or third-party components, then you are falling short. That authentication piece is just one concrete example."
The confusion has caused many companies to measure whether there is any risk to them under the statute and to wait for further guidance, the attorneys say. The law does not give consumers the right of private action. Only the government can investigate or penalize companies under the law, which is another consideration for companies in assessing their risk.
While the security required by the law may seem like baby steps, the number of devices impacted by the legislation is quite large, according to the attorneys. The text of the legislation does not specify types of devices, but the law likely applies to a long list of hardware covered by the term "connected device," including products such as printers and security cameras, smart lightbulbs, and Apple watches, Pepper says.
"Quite a few different types of devices are impacted," he says.
The California law is not the only legislation to target the security of connected devices. With 25 billion devices expected to be part of the global IoT landscape, legislators are subjecting IoT manufacturers to increasing scrutiny.
In March, US lawmakers introduced a bipartisan bill into Congress that would require IoT makers selling devices to the government to follow guidelines produced by the National Institute of Standards and Technology. Known as the Internet of Things Cybersecurity Improvement Act of 2019, the bill is the third time that federal legislation has been introduced to require security measures by connected device makers. A bill to govern IoT security has been introduced into Congress annually since 2017.
Because the California law applies to any device sold to consumers in the state — and the manufacture of too many product variants is cost-prohibitive — the impact of the law will likely be national, says Morrison & Foerster's Lyon.
"Because the law's requirements are not onerous, and because it is time consuming to create a special version of products just for the Californian market, companies will probably implement these changes across all their products," she says.
In conjunction with the California Consumer Privacy Act (CCPA), the law will put new responsibilities and restrictions on companies for privacy and data security.
"The enactment of the CCPA will be a watershed moment for data privacy not just in California, but also throughout the United States," said Attila Tomaschek, data privacy advocate at ProPrivacy.com, in a statement. "Since any applicable business across the country and indeed across the globe that serves consumers in California will be required to abide by the law, companies across the board will likely be gearing up for compliance."
The California law explicitly does not require that retailers and sellers of devices ensure compliance with the law. The law also seems to prevent using the rule as a reason for anti-tinkering measures, stating that the laws does not require features that "prevent a user from having full control over a connected device, including the ability to modify the software or firmware running on the device at the user's discretion."
In addition, law enforcement retains the right to gather information about devices from the manufacturer.
- Consumers Urged to Secure Their Digital Lives
- Unsecured IoT: 8 Ways Hackers Exploit Firmware Vulnerabilities
- New IoT Security Bill: Third Time's the Charm?
- Firmware: A New Attack Vector Requiring Industry Leadership
- A Checklist for Securing the Internet of Things
Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Poll Results: Maybe Not Burned Out, But Definitely 'Well Done'