Right Out of the Box: California Enacts First-of-its-Kind Statute Regulating Internet-of-Things
Companies impacted by California's SB-327—especially manufacturers and distributors of IoT devices—should work to ensure compliance with the act as soon as possible if regulatory fallout is to be avoided come January 2020.
November 14, 2018 at 07:00 AM
7 minute read
The California legislature had a big year in 2018. While a great deal of attention has focused on the California Consumer Privacy Act of 2018 (CCPA), a sweeping new privacy law often compared to Europe's General Data Protection Regulation (GDPR), California also passed a less-publicized, but highly critical, statute that will regulate certain aspects of Internet of Things (IoT or connected) device security.
The IoT law, known as SB-327, should have a significant impact that extends well beyond California's borders when it goes into effect in January 2020. Companies impacted by SB-327—especially manufacturers and distributors of IoT devices—should work to ensure compliance with the act as soon as possible if regulatory fallout is to be avoided come January 2020.
|What does the IoT statute cover?
As “smart” devices, like internet-connected refrigerators, coffee makers and even industrial control systems for the nation's critical infrastructure, become more prevalent, the opportunity for device hacking and improper use becomes more widespread and potentially more devastating. For example, the Mirai botnet, which took down a large swath of the internet in 2016, gained control of poorly protected IoT devices and used them to carry out one of the largest Distributed Denial of Service (DDoS) attacks on record.
On a more personal level, the proliferation of integrated cameras and sensors, often with easily hackable manufacturer default passwords, provides hackers with a ready means to peer into, if not break into, homes. With SB-327, California seeks to address these and related security concerns head-on.
|What requirements does the IoT statute impose?
The primary way in which SB-327 will attempt to address IoT security risks is by directly imposing security requirements on the device manufacturers themselves. In contrast, regulations like the GDPR, New York's Department of Financial Services Cybersecurity Regulation (and even, implicitly, the CCPA), only call for third-party security reviews. Specifically, SB-327 will require companies offering IoT devices for sale in California to equip their products with “reasonable security features.” The obvious question then becomes, what does “reasonable” actually mean?
Unfortunately, “reasonable” features are not specifically defined in this context. Instead, SB-327 uses a principles-based approach, encompassing security features that are:
- Appropriate to the nature and function of the device;
- Appropriate to the information it may collect, contain or transmit; and
- Designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification or disclosure.
This approach will require manufacturers of connected devices to continuously assess the risks attendant with these products, and incorporate security features commensurate with those risks, preferably (and most cost effectively) at the design phase. Manufacturers must also be prepared to document their risk-based decisions in the event that their reasonableness decisions are challenged.
In addition to the principles set forth above, SB-327 also provides certain reasonableness floors. For example, any IoT device that can be authenticated outside a local area network (LAN) must either come with authentication unique to that device, or require the user to “generate a new means of authentication before access is granted to the device for the first time.” A connection outside a LAN usually refers to the ability to access the functions of a device from anywhere with an internet connection, as opposed to a limited connection available only when connected to same network as the device in question. This is similar to the difference between an intercom system, accessible only from within the building it is located in, and a landline telephone network, where any line is accessible so long as one is connected and dials the appropriate number.
Looking elsewhere, including how other regulators approach risks associated with IoT devices, can also help inform what is considered “reasonable.” In fact, reasonableness standards around IoT device security under California law will likely come to mirror those developed around other products, services and systems that are vulnerable to a cyberattack. For example, regulators across industries are increasingly urging multi-factor authentication security systems in other products and services, instead of just usernames and passwords. In addition, the National Institute of Standards and Technology is currently examining ways it can standardize encryption methodologies for these devices, and regulators will likely consider those standards when they are released. Another example is the Food and Drug Administration (FDA), which recently released its “Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook” as an increasing number of medical devices become part of the IoT. The report provides a number of preventative actions, many of which could also come to represent reasonableness across industries. For example, for each medical device, the FDA advises a “Hazard Vulnerability Analysis” to better understand and potentially address the effects an attack on that device could have. The guide goes further and provides particular examples of mitigation strategies, like isolating legacy devices that cannot be easily secured and connecting those devices to their own protected network.
Other sources of insight into the likely meaning of reasonableness include the Department of Homeland Security's “Strategic Principles for Securing the Internet of Things” and the Federal Communications Commission's discussion of IoT devices in its “Cybersecurity Risk Reduction” white paper.
|How will the IoT law be enforced?
Fortunately, SB-327 does not provide a private right of action, and the law will be left to the California Attorney General and other state attorneys to enforce. On the other hand, to the extent these connected devices violate—or contribute to violations of—the privacy of its users, or are subject to third-party breaches, the CCPA can provide consumers with the ability to bring a civil complaint.
The CCPA may apply in other ways, too. For example, California residents have the right under the CCPA to request deletion of personal information collected. Section 1798.140(o)(H) of the CCPA includes “[a]udio, electronic, visual, thermal, olfactory, or similar information” under the definition of personal information, which directly implicates a number of IoT devices.
As is typical of the new wave of cyber and privacy regulations, there is no explicit grandfathering of legacy devices under SB-327, meaning that California could take the position that retrofitting is required to achieve compliance with the statute. Although it is unlikely that California will take that position, it does raise the question of whether IoT devices should, going forward, allow for remote security updates to maintain the requisite level of “reasonable security features” under the law. In addition, companies may want to consider how early in their production cycles they need to implement changes to make sure compliant devices are entering the supply chain no later than the effective date.
|Conclusion
Ultimately, as IoT devices proliferate throughout supply chains and our homes, the benefits in efficiency and convenience they offer will come with increased cyber and privacy risks. California, in passing SB-327, is the first state to anticipate and attempt to prevent against those kinds of vulnerabilities, but it will likely not be the last state to do so. Companies that manufacture and distribute IoT devices will be required to comply with this and other laws, and sufficient security features will need to be put in place. More importantly, however, these same security features can prevent against breaches and hacks, and the resulting regulatory enforcement actions and litigation.
Although SB-327 is not scheduled to go into effect until January 2020, now is the time to plan and come into compliance with the law. This is particularly true for manufacturers, which will need plenty of lead time to design and implement the necessary security features.
Michael Bahar is a partner in the Washington DC office of Eversheds Sutherland where he co-leads the firm's global cybersecurity and privacy practice and is a member of the firm's litigation practice. Frank Nolan serves as counsel in the New York office of Eversheds Sutherland. He defends class action lawsuits and complex business litigation matters in federal and state courts throughout the country. Trevor Satnick is a staff attorney in the New York office of Eversheds Sutherland where he focuses on the full range of data issues, including data privacy and security, cyber risk and cyber breach responses, e-discovery and information governance.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllTrending Stories
- 1As 'Red Hot' 2024 for Legal Industry Comes to Close, Leaders Reflect and Share Expectations for Next Year
- 2Call for Nominations: Elite Trial Lawyers 2025
- 3Senate Judiciary Dems Release Report on Supreme Court Ethics
- 4Senate Confirms Last 2 of Biden's California Judicial Nominees
- 5Morrison & Foerster Doles Out Year-End and Special Bonuses, Raises Base Compensation for Associates
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250