Right Out of the Box: California Enacts First-of-its-Kind Statute Regulating Internet-of-Things
Companies impacted by California's SB-327—especially manufacturers and distributors of IoT devices—should work to ensure compliance with the act as soon as possible if regulatory fallout is to be avoided come January 2020.
November 14, 2018 at 07:00 AM
7 minute read
The California legislature had a big year in 2018. While a great deal of attention has focused on the California Consumer Privacy Act of 2018 (CCPA), a sweeping new privacy law often compared to Europe's General Data Protection Regulation (GDPR), California also passed a less-publicized, but highly critical, statute that will regulate certain aspects of Internet of Things (IoT or connected) device security.
The IoT law, known as SB-327, should have a significant impact that extends well beyond California's borders when it goes into effect in January 2020. Companies impacted by SB-327—especially manufacturers and distributors of IoT devices—should work to ensure compliance with the act as soon as possible if regulatory fallout is to be avoided come January 2020.
|What does the IoT statute cover?
As “smart” devices, like internet-connected refrigerators, coffee makers and even industrial control systems for the nation's critical infrastructure, become more prevalent, the opportunity for device hacking and improper use becomes more widespread and potentially more devastating. For example, the Mirai botnet, which took down a large swath of the internet in 2016, gained control of poorly protected IoT devices and used them to carry out one of the largest Distributed Denial of Service (DDoS) attacks on record.
On a more personal level, the proliferation of integrated cameras and sensors, often with easily hackable manufacturer default passwords, provides hackers with a ready means to peer into, if not break into, homes. With SB-327, California seeks to address these and related security concerns head-on.
|What requirements does the IoT statute impose?
The primary way in which SB-327 will attempt to address IoT security risks is by directly imposing security requirements on the device manufacturers themselves. In contrast, regulations like the GDPR, New York's Department of Financial Services Cybersecurity Regulation (and even, implicitly, the CCPA), only call for third-party security reviews. Specifically, SB-327 will require companies offering IoT devices for sale in California to equip their products with “reasonable security features.” The obvious question then becomes, what does “reasonable” actually mean?
Unfortunately, “reasonable” features are not specifically defined in this context. Instead, SB-327 uses a principles-based approach, encompassing security features that are:
- Appropriate to the nature and function of the device;
- Appropriate to the information it may collect, contain or transmit; and
- Designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification or disclosure.
This approach will require manufacturers of connected devices to continuously assess the risks attendant with these products, and incorporate security features commensurate with those risks, preferably (and most cost effectively) at the design phase. Manufacturers must also be prepared to document their risk-based decisions in the event that their reasonableness decisions are challenged.
In addition to the principles set forth above, SB-327 also provides certain reasonableness floors. For example, any IoT device that can be authenticated outside a local area network (LAN) must either come with authentication unique to that device, or require the user to “generate a new means of authentication before access is granted to the device for the first time.” A connection outside a LAN usually refers to the ability to access the functions of a device from anywhere with an internet connection, as opposed to a limited connection available only when connected to same network as the device in question. This is similar to the difference between an intercom system, accessible only from within the building it is located in, and a landline telephone network, where any line is accessible so long as one is connected and dials the appropriate number.
Looking elsewhere, including how other regulators approach risks associated with IoT devices, can also help inform what is considered “reasonable.” In fact, reasonableness standards around IoT device security under California law will likely come to mirror those developed around other products, services and systems that are vulnerable to a cyberattack. For example, regulators across industries are increasingly urging multi-factor authentication security systems in other products and services, instead of just usernames and passwords. In addition, the National Institute of Standards and Technology is currently examining ways it can standardize encryption methodologies for these devices, and regulators will likely consider those standards when they are released. Another example is the Food and Drug Administration (FDA), which recently released its “Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook” as an increasing number of medical devices become part of the IoT. The report provides a number of preventative actions, many of which could also come to represent reasonableness across industries. For example, for each medical device, the FDA advises a “Hazard Vulnerability Analysis” to better understand and potentially address the effects an attack on that device could have. The guide goes further and provides particular examples of mitigation strategies, like isolating legacy devices that cannot be easily secured and connecting those devices to their own protected network.
Other sources of insight into the likely meaning of reasonableness include the Department of Homeland Security's “Strategic Principles for Securing the Internet of Things” and the Federal Communications Commission's discussion of IoT devices in its “Cybersecurity Risk Reduction” white paper.
|How will the IoT law be enforced?
Fortunately, SB-327 does not provide a private right of action, and the law will be left to the California Attorney General and other state attorneys to enforce. On the other hand, to the extent these connected devices violate—or contribute to violations of—the privacy of its users, or are subject to third-party breaches, the CCPA can provide consumers with the ability to bring a civil complaint.
The CCPA may apply in other ways, too. For example, California residents have the right under the CCPA to request deletion of personal information collected. Section 1798.140(o)(H) of the CCPA includes “[a]udio, electronic, visual, thermal, olfactory, or similar information” under the definition of personal information, which directly implicates a number of IoT devices.
As is typical of the new wave of cyber and privacy regulations, there is no explicit grandfathering of legacy devices under SB-327, meaning that California could take the position that retrofitting is required to achieve compliance with the statute. Although it is unlikely that California will take that position, it does raise the question of whether IoT devices should, going forward, allow for remote security updates to maintain the requisite level of “reasonable security features” under the law. In addition, companies may want to consider how early in their production cycles they need to implement changes to make sure compliant devices are entering the supply chain no later than the effective date.
|Conclusion
Ultimately, as IoT devices proliferate throughout supply chains and our homes, the benefits in efficiency and convenience they offer will come with increased cyber and privacy risks. California, in passing SB-327, is the first state to anticipate and attempt to prevent against those kinds of vulnerabilities, but it will likely not be the last state to do so. Companies that manufacture and distribute IoT devices will be required to comply with this and other laws, and sufficient security features will need to be put in place. More importantly, however, these same security features can prevent against breaches and hacks, and the resulting regulatory enforcement actions and litigation.
Although SB-327 is not scheduled to go into effect until January 2020, now is the time to plan and come into compliance with the law. This is particularly true for manufacturers, which will need plenty of lead time to design and implement the necessary security features.
Michael Bahar is a partner in the Washington DC office of Eversheds Sutherland where he co-leads the firm's global cybersecurity and privacy practice and is a member of the firm's litigation practice. Frank Nolan serves as counsel in the New York office of Eversheds Sutherland. He defends class action lawsuits and complex business litigation matters in federal and state courts throughout the country. Trevor Satnick is a staff attorney in the New York office of Eversheds Sutherland where he focuses on the full range of data issues, including data privacy and security, cyber risk and cyber breach responses, e-discovery and information governance.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllCalifornia Becomes 2nd State to Give Brain Waves Data Privacy Protections, With Mixed Reaction
Former FBI Cyber Expert on How AI Will Exacerbate Law Firms' Wire Transfer Vulnerabilities
Trending Stories
Who Got The Work
Arthur G. Jakoby, Ryan Feeney and Maxim M.L. Nowak from Herrick Feinstein have stepped in to defend Charles Dilluvio and Seacor Capital in a pending securities lawsuit. The complaint, filed Sept. 30 in New York Southern District Court by the Securities and Exchange Commission, accuses the defendants of using consulting agreements, attorney opinion letters and other mechanisms to skirt regulations limiting stock sales by affiliate companies and allowing the defendants to unlawfully profit from sales of Enzolytics stock. The case, assigned to U.S. District Judge Andrew L. Carter Jr., is 1:24-cv-07362, Securities and Exchange Commission v. Zhabilov et al.
Who Got The Work
Clark Hill members Vincent Roskovensky and Kevin B. Watson have entered appearances for Architectural Steel and Associated Products in a pending environmental lawsuit. The complaint, filed Aug. 27 in Pennsylvania Eastern District Court by Brodsky & Smith on behalf of Hung Trinh, accuses the defendant of discharging polluted stormwater from its steel facility without a permit in violation of the Clean Water Act. The case, assigned to U.S. District Judge Gerald J. Pappert, is 2:24-cv-04490, Trinh v. Architectural Steel And Associated Products, Inc.
Who Got The Work
Michael R. Yellin of Cole Schotz has entered an appearance for S2 d/b/a the Shoe Surgeon, Dominic Chambrone a/k/a Dominic Ciambrone and other defendants in a pending trademark infringement lawsuit. The case, filed July 15 in New York Southern District Court by DLA Piper on behalf of Nike, seeks to enjoin Ciambrone and the other defendants in their attempts to build an 'entire multifaceted' retail empire through their unauthorized use of Nike’s trademark rights. The case, assigned to U.S. District Judge Naomi Reice Buchwald, is 1:24-cv-05307, Nike Inc. v. S2, Inc. et al.
Who Got The Work
Sullivan & Cromwell partner Adam S. Paris has entered an appearance for Orthofix Medical in a pending securities class action arising from a proposed acquisition of SeaSpine by Orthofix. The suit, filed Sept. 6 in California Southern District Court, by Girard Sharp and the Hall Firm, contends that the offering materials and related oral communications contained untrue statements of material fact. According to the complaint, the defendants made a series of misrepresentations about Orthofix’s disclosure controls and internal controls over financial reporting and ethical compliance. The case, assigned to U.S. District Judge Linda Lopez, is 3:24-cv-01593, O'Hara v. Orthofix Medical Inc. et al.
Who Got The Work
Attorneys from Cadwalader, Wickersham & Taft and Pryor Cashman have entered appearances for Diageo Americas Supply d/b/a Ciroc Distilling Co. and Sony Songs, a division of Sony Music Publishing, respectively, in a pending lawsuit. The case was filed Sept. 10 in New York Southern District Court by the Bloom Firm and IP Legal Studio on behalf of Dawn Angelique Richard. The plaintiff, who performed as a member of producer Sean 'Diddy' Combs girl group Danity Kane and later his band, Diddy - Dirty Money, claims that she was financially exploited by Combs and subjected to inhumane working conditions. Among other violations, Richard claims that Combs required group members to remain at his residences and studios, deprived them of adequate food and sleep and forced them to rehearse for 36 to 48 hours without breaks. The case, assigned to U.S. District Judge Katherine Polk Failla, is 1:24-cv-06848, Richard v. Combs et al.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250