California’s first-in-the-nation law to regulate the Internet of Things (IoT), signed into law last September, takes effect in January. The new law builds on California’s pioneering consumer privacy legislation, extending it into the realm of “connected devices.” Although the law only directly targets device manufacturers, all California businesses that in any way touch or interact with connected consumer devices need to be aware of the risks that the legislation is designed to mitigate. Businesses need to consider how they may be affected as this regulatory regime evolves.
Recent years have seen Internet connectivity driven deep inside the home – not just security cameras, but refrigerators, washing machines – a whole plethora of consumer devices have been assigned their own IP addresses. California’s connected device law is the first successful legislative response to widely-publicized breaches of information security exploiting the security vulnerabilities of networked consumer devices. Baby monitors and children’s toys have been hacked to give the hackers direct access to children and the data gathered by the devices. In one incident, thousands of insecure web cameras were exploited to attack and disable major websites including Twitter, Spotify, the New York Times and Airbnb.
The legislation requires manufacturers of devices that connect to the Internet to equip these devices with “a reasonable security feature or features” that are (1) “[a]ppropriate to the nature and function of the device,” (2) “[a]ppropriate to the information it may collect, contain, or transmit,” and
(3) “[d]esigned to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.” Written into the law are two specific “requirements,” either of which, if met by a given device, are deemed “a reasonable security feature.” These are (a) a preprogrammed password unique to each device, or (b) a set-up process in which the consumer is required to generate a new set of authentication data before access to the device is granted.
The specific reach of the law is limited. It creates duties for manufacturers – including the direct manufacturers of devices and persons who contract for the manufacture of devices. It does not create duties for other parties in the IoT value chain – specifically, providers of electronic stores, gateways, or marketplaces and providers of software unaffiliated with the manufacturer that a consumer may add to or use with a connected device. The law carves out two broad categories that would otherwise fall within its reach: (a) devices regulated by an agency of the Federal government, and (b) any activities by persons or entities subject to regulation under HIPAA (the federal Health Insurance Portability and Accountability Act of 1996) or the Confidentiality of Medical Information Act. The law does not give rise to a right for private parties to sue under it. Only the State Attorney General, city and county counsel and district attorneys are given the authority to enforce the law.
Manufacturers of connected devices should be well along at this point in implementing any new security features in their devices in advance of the January 1, 2020 effective date. Any business owner or manager of a covered manufacturer who cannot confidently make that self-assessment needs to seek immediate assistance from qualified IT professionals.
What are the implications of the connected device statute for non-manufacturing businesses involved in some way in the IoT space? While there may be no direct liability for non-manufacturers under the California connected devices statute, the enactment of the law itself together with the legislative history is a milestone in establishing public policy with respect to the security of connected devices. Despite its practical limitations, this well-intentioned law raises the bar with respect to insurability, potential tort liability, brand value, consumer confidence and other considerations. Going forward, the security capabilities – or lack thereof – of connected devices becomes a matter of due diligence and evolving best practices for any business that uses or deploys, purchases or integrates connected devices into its own business.