On September 28, California Governor Jerry Brown signed a first-of-its kind law to regulate the security of connected devices that make up the “Internet of Things” (“IOT”)—connected fitness trackers, smart appliances, home alarm systems and much more.
The rapid adoption of these connected devices has led to an increase in security risk and a corresponding rise in government interest in IoT security. US federal agencies such as the Department of Homeland Security and the Department of Commerce have provided guidance on how to manage the security of these devices, and the Federal Trade Commission (“FTC”) has asserted its authority to bring enforcement actions for “unreasonable” IOT cybersecurity practices.
On the other hand, state governments have not engaged on IOT cybersecurity, but that now has changed. The California law creates new regulatory concerns for manufacturers of connected devices sold in the state. As a result, businesses that manufacture connected devices will benefit from monitoring how the law is implemented and whether other states follow suit with their own laws to regulate connected device cybersecurity.
The California law, which goes into effect on January 1, 2020, sets requirements for manufacturers of a “connected device.” This term is broadly defined to include “any device, or other physical object that is capable of connecting to the Internet, directly or indirectly, and that is assigned an Internet Protocol address or Bluetooth address.” However, the bill includes a number of exceptions to this scope. In particular:
- The statute does not apply to “any connected device the functionality of which is subject to security requirements under federal law, regulations, or guidance promulgated by a federal agency pursuant to its regulatory enforcement authority.”
- Likewise, the statute does not apply to persons subject to the Health Insurance Portability and Accountability Act with respect to any activity regulated by those acts.
The sweep of these exceptions will be of great interest to manufacturers in a range of sectors. Manufacturers of connected cars and medical devices, for example, are likely to view the guidance issued by the National Highway Traffic Safety Administration and the Food and Drug Administration, respectively, as removing their products from the scope of the California statute (even assuming that this statute otherwise can or does apply). Moreover, manufacturers of other consumer products may well view the FTC’s guidance on IOT security and data security more broadly as excepting their products from the statute’s sweep. Finally, while the statute is clearly aimed at the new wave of connected devices used by consumers, it remains to be seen whether efforts will be made to apply the law to products that are not directly marketed to consumers or to apply its requirements to more conventional information technology products that are not normally considered part of the IOT (e.g. laptops, tablets).
For devices that are within the state law’s scope, manufacturers must ensure that these connected devices have “reasonable” security features that are:
- Appropriate to the device’s nature and function;
- Appropriate to the information the device collects, contains or transmits; and
- Designed to protect the device and its information from unauthorized access, destruction, use, modification or disclosure.
The statute takes particular aim at generic, hard-coded device passwords. For devices that can be authenticated outside a local area network, it specifies that unique preprogrammed passwords or a requirement that a user generate a new password before initially using the device are deemed “reasonable” security features. Beyond this particular point, however, the law does not provide more detail on how a manufacturer can determine whether the security measures it adopts meet this reasonableness.
Importantly, the new law also specifies that it does not create a private right of action. Whether that is the final word on civil litigation remains to be seen, however. Plaintiffs already have brought claims under the California Unfair Competition Law (“UCL”) for alleged security flaws in connected devices, for example. While the California Supreme Court has previously made clear its unwillingness to allow plaintiffs to use the UCL to do an end run around more specific statutory schemes that limit liability, plaintiffs nonetheless may seek to rely on the standards stated in California’s new IOT law in common law or UCL claims.
Moreover, the law does provide the California attorney general, city, county or district attorneys with enforcement authority. How this law is interpreted and enforced by this broad group of government agencies remains to be seen. The statute ultimately may prove, for example, to reinforce the requirements already applicable to connected device manufacturers subject to the jurisdiction of the FTC or sector-specific regulators. However, the possibility of divergent legal requirements—and even the creation of a patchwork of similar, but not identical, laws in other states—makes this statute a very significant development in the regulation of IOT cybersecurity. Manufacturers of connected devices consequently are likely to be well-served by closely monitoring further developments in this area.