New IOT Law in CA for 2020

IOT devices are everywhere–from the refrigerator to the fish tank, the thermostat and even the sprinklers. It goes without saying that the “Internet of Things” intertwines our daily lives together. IOT devices provide ease of use, they save time and definitely offer the comfort of never having to leave your sofa to order dinner off of Alexa, but they also usher in a new host of security concerns both personally and professionally.

California has moved to lower this risk with a new law going into effect Jan 1, 2020. The state’s new IoT Security Law, the first in the country demands that all IOT devices sold in this state have “reasonable cybersecurity measures” embedded.

What is reasonable and what does the law cover?

The law covers “any device, or other physical object that is capable of connecting to the Internet, directly or indirectly, and that is assigned an Internet Protocol address or Bluetooth address.”

Under this definition,  devices could include everything from computers and the printing machine to smart TVs and Fitbits. And this list is always growing. For businesses in California, that’s going to make it a lot harder to determine whether the devices they’re using fall within the confines of the law.

According to the law, a reasonable security feature must be “appropriate to the nature and function of the device, appropriate to the information it may collect, contain, or transmit, and designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure, as specified.”

The law defines secure measures as it relates to authentication for devices outside a local area network, stating that “the preprogrammed password is unique to each device manufactured” and “the device contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time.”

Basically, new IOT devices won’t come with a standard “Admin” password anymore that is easily hackable.

Are there penalties for noncompliance?

It’s hard to tell. Here’s what the law states:

• It does not allow private parties to sue under California law. Instead, enforcement is delegated “exclusively to the California Attorney General, city attorneys, county counsels, and district attorneys.”
• It does not specify what types of penalties officials can seek for violations, what the maximum penalties are or whether officials must prove that actual harm to consumers has occurred before seeking penalties.

Although California is leading the pack in legislation, there can obviously be more clarity and some improvements. It stands to say that all device manufacturers need to update their password management of devices and need to be prepared for more states to follow with tighter security restrictions.

If you need assistance with cybersecurity services contact us at [email protected].

Source: https://www.helpnetsecurity.com/2019/11/20/california-iot-security-law/

Image Source: https://www.pexels.com/photo/apartment-chair-clean-contemporary-279719/