States Take the Lead on Securing the Internet of Things

This article appeared in Cybersecurity Law & Strategy, an ALM publication for privacy and security professionals, Chief Information Security Officers, Chief Information Officers, Chief Technology Officers, Corporate Counsel, Internet and Tech Practitioners, In-House Counsel. Visit the website to learn more.

The widespread adoption of Internet-connected devices has shifted from a novelty to a necessity in mainstream culture. Internet connected devices or the Internet of Things (IoT) is a network of physical objects—devices, vehicles, appliances—embedded with sensors, software, and network connectivity, so they can collect, exchange, and act on data, often without human intervention.

As a society, we have become more interested in smart products such as smart home devices, phones, and toys that make life more efficient, convenient and entertaining. Yet, use of IoT devices is not without risks. At the end of last year, Ring camera, owned by Amazon, made news headlines after hackers breached the devices. There were numerous accounts of hackers obtaining access to the cameras and taunting and yelling obscenities at children, and threatening adults for bitcoin ransomware through the cameras. As a result of these hacks, Amazon is now facing a class action lawsuit claiming that the Ring camera security vulnerabilities were a result of Amazon's negligence and that it led to an invasion of privacy. These incidents were the motivation for the passage of California's new IoT Security Law that went into effect on Jan. 1, 2020.

The California IoT Security Law is the first of its kind in the nation and pushes device manufacturers to adopt cybersecurity standards during the product development and design stages where none have existed before. The California IoT Law applies to connected devices which are defined to mean any device or physical object that has ability to connect to the internet and has an assigned Internet protocol address or Bluetooth address. This encompasses a wide range of devices from smart doorbells, refrigerators, personal fitness monitors, security cameras, wearables, etc. The definition of connected device is broad enough to even cover devices intended for industrial or other business-to-business purposes. The law also requires that all connected devices sold in California, no matter where they are manufactured, should have "reasonable security features." Those "reasonable security features" should be:

• Appropriate to the nature and function of the device.
• Appropriate to the information it may collect, contain, or transmit.
• Designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.

The California IoT Law does outline some basic security features such as use of preprogrammed passwords that must be unique to each device, and the device must require the user to immediately generate a new means of authentication prior to being granted access to the device configuration settings for the first time. Beyond these measures, the California IoT Law does not provide any additional information on what would constitute "reasonable security features." The California IoT Law does contain certain exemptions for connected devices already subject to security requirements under U.S. Federal laws such as regulated FDA regulated medical devices.

The California IoT Law does not provide for a private right of action rather the law will be enforced by the California Attorney General and city and district attorneys. Furthermore, the law does not specify what types of penalties can be sought, what the maximum penalties are or whether the enforcement authorities must prove actual harm to consumers prior to seeking penalties. Despite these limited enforcement provisions, Californians may have other options to prove injury or harm through IoT devices. Californians who suffer from an IoT data breach could bring a lawsuit under California's unfair and deceptive practices statute. The California Consumer Privacy Act (CCPA), which went into effect Jan. 1, 2020, allows for a private right of action for breaches of unencrypted or un-redacted data caused by a business's failure to implement and maintain reasonable information security practices.

Following California's lead, Oregon passed its own IoT law, amending ORS 646.607, which largely mirrors the California IoT Law by requiring that connected device manufacturers equip IoT devices with reasonable security features for devices sold in the state of Oregon. Oregon's law is similar to the one in California in that it uses the same language including "reasonable security features." However, unlike the California IoT Law, the Oregon law is limited to devices primarily used for personal, family or household purposes. The U.S. Congress introduced The IoT Cybersecurity Improvement Act of 2019 which would require that devices purchased by the U.S. government meet certain minimum security requirements. However, it's unlikely such law will pass before the 2020 U.S. general election.

IoT device manufacturers looking for guidance on reasonable security features to implement in the production of their devices should pay close attention to the National Institute of Standards and Technology (NIST)'s Recommendations for IoT Device Manufacturers: Foundational Activities and Core Device Cybersecurity Capability Baseline. The NIST Recommendations are voluntary guidance and non-binding but it provides considerations in assessing privacy and security practices. The Recommendations describe six voluntary activities related to cybersecurity with four activities that a manufacturer can perform before a device is sent out for sale with the remaining two activities that can be performed after the device has hit the market.

• Identify expected customers and define expected use cases for IoT devices.
• Research customer cybersecurity goals and how the device will be managed, accessed, and monitored by the customer or other devices.
• Determine how to address customer goals by having IoT devices provide particular device cybersecurity capabilities in order to help customers mitigate their cybersecurity risks.
• Plan for adequate support of customer goals by appropriately provisioning device hardware, firmware, software and business resources to support the desired device cybersecurity capabilities.
• Define approaches for communicating to customers as many customers as many will benefit from manufacturers communicating to them more clearly about cybersecurity risks involving the IoT devices.
• Decide what to communicate to customers and how to communicate it.

Other states such as Virginia and New York have considered their own IoT laws but none have passed at the time of submission of this article. It will be important for IoT device manufacturers to monitor state law developments as more states considering regulating the security features of IoT devices.

Ashley Thomas is an associate in the cybersecurity and privacy group at Morris, Manning and Martin LLP. She can be reached at [email protected].