Internet of Things (IOT) technology with AR (Augmented Reality) on VR dashboard.business man hand using smart phone,laptop, online banking payment communication network technology. - Image Image by Shutterstock

California launched a new Internet of Things (IoT) security law Jan. 1, but there's a chance that both it and any other similar pieces of legislation that could emerge across the nation may spend the foreseeable future living in the shadow of privacy.

The California law is one of broadest-reaching pieces of IoT legislation to touch down in the United States, requiring any and all IoT manufacturers who count California residents among their customer base to incorporate "reasonable security measures" that protect both a device and the information it collects from unauthorized access.

However, since similar requirements around the protection of personal data already exist in legislation such as the California Consumer Privacy Act (or CCPA, which also launched Jan. 1), there's a chance that regulations geared specifically toward IoT devices may take a back seat as other states look to address a privacy law first.

Christopher Ballod, a partner at Lewis Brisbois Bisgaard & Smith, pointed out that the CCPA already suggests what the framework needs to be for the level of security undertaken when processing data from IoT devices.

"I do think the existing laws are already going a long way towards leading companies to evaluating their security framework and to push it forward. … It would be curious to see a lot of these [IoT] laws popping up," Ballod said.

However, that's not to say that IoT security issues have been able to stay clear of the headlines. Amazon's Ring home security system, for example, was faced with class action complaint earlier this month stemming from a series of outside hacks—one of which allegedly involved the threat of "termination" unless a couple paid a 50 bitcoin ransom.

According to Daniel Pepper, a partner at Baker & Hostetler, many IoT devices are not equipped to update themselves with the latest security layers or patches, a vulnerability that laws such as the one in California can help address. With those needs in mind, he's not as pessimistic about the future of legislation devoted specifically to IoT security, citing the very public issues faced by companies like Ring.

"I think those things will continue to happen unfortunately. So as you start to see a trickle of those things, I think more states are going to start to hear from their constituents saying, 'Hey, look, we need to see something done here,'" Pepper said.

While he ultimately expects states to continue to prioritize privacy laws, the delay on IoT regulation may give companies some much needed time to do their homework. Even though California's IoT law is officially in effect, Pepper noted many of the device manufacturers he's spoken with are either unaware if the regulation applies to them, not sure how to comply, or in some cases completely oblivious to its existence.

Some of that ignorance could be chalked up to the fact that IoT regulations affect fewer entities than privacy laws. There's also the vague nature of exactly what constitutes "reasonable security measures." Aside from mandating that an IoT device carry a unique pre-programmed password or user programmed password before it's able to connect to the internet, California's regulation is light on specifics.

It doesn't help that IoT devices encompass a wide range of items across different markets, which may each present their own unique considerations. "IoT manufacturers are still seeking to understand the extent to which 'reasonable security features' may vary depending on whether the device is for consumer or enterprise use," said Chris Lyon, a partner in the privacy and data security practice at Morrison & Foerster.

Those seeking answers may have to dive deep into the annals of state law. Reece Hirsch, partner and co-head of Morgan, Lewis & Bockius' privacy and cybersecurity practice, pointed to the CIS Critical Security Controls approved by the California attorney general in 2016 as a potential source of clarity on the "reasonable security" expectation—but even those don't mesh perfectly with the unique nature of IoT devices.

Still, there may be one potential silver lining to all that confusion.

"Because the IoT law's 'reasonable security' mandate is not nearly as prescriptive as the CCPA, it should be much more feasible for manufacturers to adopt it across the board," Hirsch said.