California Passes Nation’s First Cybersecurity Law Addressing Internet of Things

Last Friday, California became the first state in the US to pass an internet of things (IoT) cybersecurity law. California Governor Jerry Brown signed Bill SB-327 into law which addresses information privacy, specifically pertaining to connected devices. The legislation aims to protect consumers of smart home devices against potential privacy risks from unauthorized parties gaining access to user information.

Related: Proposed Law Would Prevent Alexa from Eavesdropping

The law requires manufacturers of IoT devices to provide “reasonable security features” designed to protect user privacy. The ‘features’ are largely determined by password requirements: Manufacturers must give a unique, pre-programmed password for each device or require users to establish a new means of authentication before the device can be operated for the first time.

California’s Golden Gate Bridge

A “connected device” is defined as “any device, or other physical object that is capable of connecting to the Internet, directly or indirectly, and that is assigned an Internet Protocol address or Bluetooth address.” This would not only increase regulations for general IoT objects like locks and security cameras, but also for more peripheral products such as connected healthcare devices or children’s toys that tend to be more vulnerable to hackers.

Reception of the law has been mixed. Some critics fear the effects of the law will stifle innovation and deter manufacturers from operating in California, while others say that it was simply not necessary. The Entertainment Software Association opposed the bill claiming that “existing law already requires manufacturers to set up “reasonable privacy protections.” Others consider the law to be vaguely worded and insufficient in addressing additional security issues.

There are a number of other bills in the pipeline at the federal level including the Securing IoT Act of 2017 which would mandate the FCC to establish cybersecurity standards to wireless devices. Another bill yet to be voted on is the IoT Cybersecurity Improvement Act of 2017 which would designate security standards for connected devices purchased exclusively by the government.

Aside from the government, the cellular industry has also been working on initiatives to tackle cybersecurity in the wireless IoT arena. Security Baron explained the cybersecurity certification distributed by the Cellular Telecommunications and Internet Association (CTIA) earlier this year. The certificate provides standardized security guidelines for the numerous cellular devices connected to the internet.

The SB-327 law will go into effect on January 1, 2020. This is the first time that any official regulation of IoT devices has been put in place, marking a starting point for the future of cybersecurity legislation. We will have to see how manufacturers and lawmakers respond as the industry continues to grow.


Mia Figueroa

Mia Figueroa

Mia is a journalist whose work spans documentary film, radio and online journalism. She discovered her passion for storytelling and love of robots after spending two years working at a venture capital firm in San Francisco. Still deeply inspired by the power of technology to change our daily lives, Mia bridges her unique experience with tech and media at Security Baron to help others understand and embrace technology.

Trending News

Follow Us