California continues to pave the way for privacy and cybersecurity legislation as Governor Brown recently signed the first Internet of Things (“IoT”) security law in the United States (SB-327).
While connected devices offer users convenience and efficiency, California lawmakers recognized that such devices also raise serious security and privacy issues. The stated purpose of SB-327 is “to ensure that [I]nternet-connected devices are equipped with reasonable security measures to protect them from unauthorized access, use, destruction, disclosure, or modification by hackers.” Lawmakers identified several concerns, including physical dangers posed by connected cars and medical devices (e.g., connected insulin pumps that can be hacked to deliver lethal doses), as well as concerns over hacks of connected devices to create “botnets,” which have already resulted in major Internet crashes and Denial of Service attacks (attacks intended to prohibit authorized users from accessing networks or devices).
SB-327 has received criticism for its vague terminology, which critics argue fails to provide covered entities with clear direction, thereby preventing them from knowing whether they achieved compliance. Some have also said that SB-327’s requirements are not strict enough. Others applauded the law, saying that despite potential flaws, it was a necessary step in the right direction.
What does SB-327 Require?
Manufacturers must equip connected devices with “reasonable” security features. The bill lacks specificity but, at a minimum, the security features must be (1) appropriate to the nature and function of the device; (2) appropriate to the information it may collect, contain, or transmit; and (3) designed to protect information contained on the device from unauthorized access, destruction, use, modification, or disclosure.
Subject to (1)-(3) in the preceding paragraph, if a device provides a method of authentication outside a local area network (i.e., a remote method of verifying the user’s authority to access the device), it will be deemed to have a reasonable security feature if the manufacturer includes (1) preprogramed passwords that are unique to each device, or (2) a feature requiring a user to generate a new means of authentication before the device can be accessed for the first time (e.g., password set-up, verification code, etc.).
Who does SB-327 Apply to?
Companies that manufacture, or contract to manufacture, connected devices that are sold in or offered for sale in California. Notably, the law does not apply to companies that “contract only to purchase  connected device[s], or only to purchase and brand  connected device[s].”
Who Enforces SB-327?
Unlike the recent California Consumer Privacy Act of 2018, SB-327 does not provide a private right of action, nor does it include specific monetary penalties. Rather, enforcement authority belongs exclusively to the Attorney General, a city attorney, a county counsel, or a district attorney.
When does SB-327 go into Effect?
The law is currently scheduled to go into effect on January 1, 2020.