California IoT Security Law: A Nearsighted, Toothless Guard Dog or a Wolf in Sheep’s Clothing?
The State of Security
With three new sections added to the California Civil Code, California became the first U.S. state with a cybersecurity law specifically for internet-connected devices on September 28, 2018. The new Security of Connected Devices law will take effect on January 1, 2020.
The new law requires manufacturers of connected devices to equip the devices with reasonable security features that are:
- appropriate to the nature and function of the device;
- appropriate to the information it may collect, contain or transmit; and
- Designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification or disclosure.
(Cal. Civ. Code §1798.91.04(a))
A connected device is any device capable of connecting to the Internet, directly or indirectly that is assigned an Internet Protocol address or Bluetooth address (§1798.91.05(b))
Manufacturers include anyone who manufactures (or contracts with a third party to manufacture) connected devices that are sold or offered for sale in California (§1798.91.05(c)).