The Internet of Things is a relatively new development that has changed the world. However, the laws were either non-existent or archaic. Now, it’s important to inform our readers that Jerry Brown has signed a cybersecurity law covering “smart” devices. The bill, SB-327, was introduced last year and states in relevant part that:
Existing law requires a business to take all reasonable steps to dispose of customer records within its custody or control containing personal information when the records are no longer to be retained by the business by shredding, erasing, or otherwise modifying the personal information in those records to make it unreadable or undecipherable. Existing law also requires a business that owns, licenses, or maintains personal information about a California resident to implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure. Existing law authorizes a customer injured by a violation of these provisions to institute a civil action to recover damages.
This bill, beginning on January 1, 2020, would require a manufacturer of a connected device, as those terms are defined, to equip the device with a reasonable security feature or features that are appropriate to the nature and function of the device, appropriate to the information it may collect, contain, or transmit, and designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure, as specified.
This law amends California Civil Code Section 1798.91.04, et seq., and prevents companies from selling connected devices with preset passwords that make it easy for hackers to infiltrate them. So, in 2020, all electronic devices that are manufactured or distributed in California must come with unique passwords or a feature that compels its user to implement a unique password. This statute defines a “connected device” as any device, or other physical object that is capable of connecting to the internet, directly or indirectly, and that is assigned an Internet Protocol address of Bluetooth address. So, in essence the manufacturers of internet-connected devices that sell or offer to sell such devices are covered under this law.
There have been positive and negative reviews about this new law. Experts have said this law is a good start, but it may not be enough. Other laws have been introduced to set minimum security standards for electronic devices. For example, the IoT Cybersecurity Improvement Act of 2017 was designed to set minimum security standards for connected devices purchased by the government. The IoT Consumer TIPS Act of 2017 was designed to instruct the Federal Trade Commission to promote educational resources for consumers around connected devices. Also, the SMART IoT Act was designed to mandate the Department of Commerce to engage in studies on the status of various industries.
In addition, California recently passed the California Consumer Privacy Act of 2018 (“CCPA”) which practically parallels Europe’s General Data Protection Regulation (“GDPR”). This new law will affect organizations that collect consumer data and will become effective starting January 1, 2020. Its provisions allow consumers to demand the disclosure of their personal information, categories of sources for that information, its business purposes for collecting/selling the information, and who the information is being shared with by the organization. To comply with the statute, businesses must keep track of the collected data and be able to pinpoint its location at all times.
These new laws will affect businesses that are involved in the sale or distribution of connected devices. There are limitations with these new laws as they may not impose the necessary duties upon device manufacturers. They may not provide a private right of action for consumers so it’s important to review their provisions with legal counsel.