Published on Oct 9, 2018 What the heck is IoT, and why did California just enact SB 327, a new law effective January 2020 that will potentially cost technology manufacturers thousands, if not millions, in compliance costs? Let’s take a look…
While we mere mortals generate a massive volume of new data on a daily basis typing away on keyboards, smartphones, and tablets, we cannot hold a candle to the petabytes of data being generated by the approximately twenty-four billion Internet-connected robotic devices deployed around the world right now to serve our insatiable need for automation. These devices – each with integrated audio, video and radio sensors – are known collectively as the “Internet of Things” or “IoT”. There are approximately six IoT devices for every one of the four billion internet users on the planet, and that number is expected to double in just the next 5 years.
IoT devices come in many forms and have helped to simplify and improve our daily lives. However, they also present an immediate and present danger of being hijacked for nefarious purposes. For example, we have already seen bad actors turn simple household devices into a zombie botnet army that launched a series of massive Distributed Denial of Service (DDoS) attacks shutting down major websites. We have also seen toys designed for children with internet connections being turned into surreptitious home recording devices.
The perceived failure of manufacturers to implement appropriate security safeguards and utilize privacy by design principles has, at least in theory, left IoT devices open to the perverse imagination of every cyber-criminal inhabiting the deep internet.
With the United States Congress taking its usual dawdling pace at addressing real-world problems impacting a vast majority of Americans, California has stepped into the breach by enacting SB 327, the first legislation in the country to require reasonable security features be included with IoT devices sold in the state.[1] Effective January 2020, along with the new California Consumer Privacy Act, any manufacturer of a “connected device” being sold in California will be required to:
“…equip the device with a reasonable security feature or features that are all of the following:
(1) Appropriate to the nature and function of the device.
(2) Appropriate to the information it may collect, contain, or transmit.
(3) Designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.”[2]
The new California law broadly defines “connected device” to include any device or object that can connect to the internet, directly or indirectly, and is assigned an IP or Bluetooth address.
On the face of it, this new California law appears to be a simple fix to a hefty problem: too many unsecured IoT devices, poorly-designed without any concern for data security, privacy, or data protection. However, there has been some significant criticism leveled against this bill from cybersecurity experts, who assert that the legislature has failed to adequately address the many significant issues with IoT devices already on the market, and may actually be making matters worse.[3]
Looking a little more closely, it is worth noting that the new law expressly excludes any private right of action (sorry friends on the Plaintiffs’ bar), which was a significant change from the original language of the Assembly bill. Other major changes during the amendment and reconciliation process included excising requirements that IoT devices being sold to California consumers include plain written notices on whether and how the device collected “audio, video, location, biometric, health, and other personal or sensitive consumer information,” and where to locate the applicable privacy policy for the device. Additionally, requirements related to security patching and updates were also removed.
Bottom line: In the continued absence of leadership on privacy issues out of Washington, California again leads the way with trying to do something consumer-friendly(-ish) to address the ever-expanding global and domestic privacy issues we face as technology continues to far-outpace our ability to enact new laws. These new laws are far from perfect: they’ve been poorly drafted and watered down, leaving massive, gaping holes. Are they better than nothing? Time will tell.
[1] Technically, there are two separate bills, one from the California Senate, and one from the California Assembly, respectively SB 327 and AB 1009, which were brought together through informal reconciliation. Each was amended to copy the other – save a cross-referencing section that required that both be signed into law – resulting in the exact same modification to the California Civil Code starting at Section 1798.91.04 – .06.
[2] Enacted as Cal. Civ. Code 1798.91.04. See, https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180SB327
[3] See, e.g., Robert Graham, California’s bad IoT law, Errata Security (Sept 10, 2018), available at: https://blog.erratasec.com/2018/09/californias-bad-iot-law.html#.W7JLDS-ZPVs.
