With three new sections added to the California Civil Code, California became the first U.S. state with a cybersecurity law specifically for internet-connected devices on September 28, 2018. The new Security of Connected Devices law will take effect on January 1, 2020.
The new law requires manufacturers of connected devices to equip the devices with reasonable security features that are:
A connected device is any device capable of connecting to the Internet, directly or indirectly that is assigned an Internet Protocol address or Bluetooth address (§1798.91.05(b))
Manufacturers include anyone who manufactures (or contracts with a third party to manufacture) connected devices that are sold or offered for sale in California (§1798.91.05(c)).