Alert January 23, 2019

Preparing For California’s Internet-of-Things Regulation

California has enacted a first-of-its-kind law requiring manufacturers of internet-connected devices (so-called internet of things, or IoT) to take measures to enhance the security of the devices. Although the law does not become effective until January 1, 2020, the standards it sets forth may become relevant before the effective date, and manufacturers should be taking measures now to bring their devices into compliance.

Summary

The California law contains two key provisions, one general and one specific.

The first provision generally requires that each “manufacturer of a connected device” must equip the device with “reasonable security features” that are “appropriate to the nature and function of the device” and “appropriate to the information it may collect, contain or transmit,” and that are “designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification or disclosure.”

The second provision sets out a specific method of compliance for certain internet-connected devices:

If a connected device is equipped with a means for authentication outside a local area network, it shall be deemed a reasonable security feature … if either of the following requirements are met: (1) The preprogrammed password is unique to each device manufactured; or (2) The device contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time.

The law defines “connected device” to include “any device, or other physical object that is capable of connecting to the Internet, directly or indirectly, and that is assigned an Internet Protocol address or Bluetooth address.” This definition will encompass a wide and growing array of devices, including:

  • Wearables (e.g., Fitbit, smart watch);
  • “Smart home” devices, such as thermostats, home security systems, baby monitors, etc.;
  • Appliances (e.g., “smart” refrigerators and televisions);
  • Automobiles;
  • Medical devices (except those that are regulated by the U.S. Food and Drug Administration (FDA), which are exempt, as are all other federally regulated devices); and
  • Phones.

The law applies broadly to anyone who manufactures or contracts to manufacture connected devices sold or offered for sale in California. This broad applicability is subject to a number of exceptions:

  • The law does not apply to resellers (i.e., those who buy and resell finished devices, or who buy and brand them for resale).
  • The law does not apply to makers of third-party software or applications that the user adds to a connected device.
  • The law does not apply to sellers of software or apps (electronic store, gateway, and marketplace providers).
  • Entities regulated by the Health Insurance Portability and Accountability Act (HIPAA) or by California’s Confidentiality of Medical Information Act are exempt with respect to those regulated activities.

Another provision states that the new law is subject to enforcement only by authorized government officials — that is, there is no private right of enforcement.

Analysis

IoT technology is a burgeoning and diverse field. Indeed, IoT is a misnomer, as there is no single “internet of things,” but rather many diverse internet-connected devices, each built toward its own purpose and working toward its own unique end. Some IoT devices are expensive, while others are inexpensive and necessarily so. This means that manufacturers must consider the legislation in the context of their own devices to determine what compliance measures may make sense.

The general provision of the new law provides little guidance on what “reasonable” security measures may entail. We may hope that future regulatory activity will help define what the state of California considers “reasonable” in the context of specific devices. In the interim, manufacturers may refer to industry-developed guidance or guidance from agencies like the National Institute of Standards and Technology (NIST), which has developed draft guidance documents to address risks for specific IoT technologies. Manufacturers should familiarize themselves with applicable guidance materials and consider measures that make sense in the context of their own devices.

The specific provision of the new law suggests that at a minimum, manufacturers of connected devices should discontinue the practice of using “standard” password protection for their devices. This practice creates significant security risks by potentially allowing hackers to commandeer large numbers of devices, as occurred (for example) in the case of a noted series of distributed denial-of-service attacks in October 2016 that caused large portions of the internet to be unavailable to users in Europe and North America. Instead, manufacturers should be using either unique passwords for each device, or user-directed passwords.

Although the new law does not take effect until 2020, and although it does not provide a private right of action, manufacturers should not wait to implement the suggested password protocols provided in the second section of the law. If a manufacturer sells devices with a noncompliant password system, and if there is a breach that compliance would have prevented, affected parties could bring claims alleging breach of a standard of care under traditional sources of tort or consumer liability, even in the absence of an express right to sue under the statute itself.

There are a number of unresolved issues that will confront manufacturers (and presumably regulators) in the years to come. Often, IoT devices have a useful life that is longer than the typical useful life of the software they employ (which, in non-IoT settings, is typically updated on a much shorter cycle). This raises the question of how to deal with vulnerabilities that become apparent after IoT devices have been sold, including how to communicate with users to provide a patch as necessary or appropriate. Another question involves how to reset passwords when a device is sold or transferred. The new law does not speak to post-sale issues, but we may plausibly expect such issues to be relevant to both manufacturers and regulators in the years ahead.