Last Friday, California became the first state in the US to pass an internet of things (IoT) cybersecurity law. California Governor Jerry Brown signed Bill SB-327 into law which addresses information privacy, specifically pertaining to connected devices. The legislation aims to protect consumers of smart home devices against potential privacy risks from unauthorized parties gaining access to user information.
The law requires manufacturers of IoT devices to provide “reasonable security features” designed to protect user privacy. The ‘features’ are largely determined by password requirements: Manufacturers must give a unique, pre-programmed password for each device or require users to establish a new means of authentication before the device can be operated for the first time.
A “connected device” is defined as “any device, or other physical object that is capable of connecting to the Internet, directly or indirectly, and that is assigned an Internet Protocol address or Bluetooth address.” This would not only increase regulations for general IoT objects like locks and security cameras, but also for more peripheral products such as connected healthcare devices or children’s toys that tend to be more vulnerable to hackers.
Reception of the law has been mixed. Some critics fear the effects of the law will stifle innovation and deter manufacturers from operating in California, while others say that it was simply not necessary. The Entertainment Software Association opposed the bill claiming that “existing law already requires manufacturers to set up “reasonable privacy protections.” Others consider the law to be vaguely worded and insufficient in addressing additional security issues.
There are a number of other bills in the pipeline at the federal level including the Securing IoT Act of 2017 which would mandate the FCC to establish cybersecurity standards to wireless devices. Another bill yet to be voted on is the IoT Cybersecurity Improvement Act of 2017 which would designate security standards for connected devices purchased exclusively by the government.
Aside from the government, the cellular industry has also been working on initiatives to tackle cybersecurity in the wireless IoT arena. Security Baron explained the cybersecurity certification distributed by the Cellular Telecommunications and Internet Association (CTIA) earlier this year. The certificate provides standardized security guidelines for the numerous cellular devices connected to the internet.
The SB-327 law will go into effect on January 1, 2020. This is the first time that any official regulation of IoT devices has been put in place, marking a starting point for the future of cybersecurity legislation. We will have to see how manufacturers and lawmakers respond as the industry continues to grow.