Gone are the days when your thermostat simply controlled the heater or air-conditioning system. Nest disrupted this industry when introducing its “smart” thermostat back in 2011. Fast-forward eight years, and Nest’s thermostat no longer operates alone. Instead, it is now one of over 25 billion “Internet of Thing” (IoT) devices capable of interconnecting to each other using a hub system (e.g., Google Home or Amazon Alexia hubs).
The companies that sell these IoT devices should be prepared for the enforcement of California’s IoT security law (Senate Bill 327) which goes into effect on January 1, 2020. Enacted last October, this law requires all connected devices sold in California – regardless of where they are made – to incorporate “a reasonable security feature or features” that appropriately protects the device and the user’s data from “unauthorized access, destruction, use, modification, or disclosure.” And the law states that IoT devices may satisfy a reasonable security feature if one of the following criteria is met:
- The IoT device includes a unique default password; or
- The IoT device requires a user to create a unique password before the first connection.
The law also states that IoT devices which must adhere to these requirements include any device that connects “to the Internet, directly or indirectly, and that is assigned an Internet Protocol address or Bluetooth address.” In other words, any IoT device currently being developed or sold will likely fall under the law’s broad definition.
So, what risk do companies have if they fail to comply by next year? Unfortunately, the full risk is not yet known as the law does not give consumers the right of private action. Instead, the law only allows government attorneys the right to investigate and penalize companies under the law. While the risk may be low, the required security measures are not onerous, and companies should take measures to ensure their IoT devices are compliant by the start of 2020.
And although California’s law is ahead of the regulatory curve, it is worth noting that the federal government isn’t far behind. This year, officials re-introduced the Internet of Things Cybersecurity Improvement Act with the goal of “leverage[ing] Federal Government procurement power to encourage increased cybersecurity for Internet of Things devices.” If enacted, the bill will prohibit U.S. government agencies from acquiring or using IoT devices that do not meet certain security measures issued by the National Institute of Standards and Technology (NIST).
California and upcoming federal legislation are likely just the first steps in a regulatory scheme for an expanding IoT market that is evolving and faces new security threats on a nearly daily basis. What “reasonable measures” are implemented today may not be deemed so reasonable tomorrow. The California law should therefore be considered a starting point in terms of security measures that IoT device manufacturers should adopt. But, stronger cybersecurity practices throughout the entire design process, as well as patching updates, will likely become commonplace requirements for IoT manufacturers in the near future.