Advisories
California Enacts the Nation’s First Internet of Things Security Law
By Christopher W. Savage, Amy Mushahwar, and Brandon H. Graves
10.03.18
On Friday, September 28, 2018, California Governor Jerry Brown signed the nation’s first Internet of Things (IoT) cybersecurity law. Although the new law presents some compliance issues, it does not appear to conflict with federal regulatory policy, unlike some have alleged regarding the state’s recent forays into net neutrality and online privacy. Therefore, the new law will likely go into effect as scheduled on January 1, 2020. With the number of IoT devices having already overtaken the global population, firms in, or considering entering, the IoT device market should carefully note this new development.
New Security Requirements:
The new law requires manufacturers of any “connected device” to implement “reasonable” security features. First, a “connected device” is “any device, or other physical object, that is capable of connecting to the Internet, directly or indirectly, and that is assigned an Internet Protocol address or Bluetooth address.” Cal. Civ. Code § 1798.91.05(b). The law thus covers most devices that wall fall under the “Internet of Things” rubric.1 Second, “reasonable” security features for IoT devices are ones that are: “(1) Appropriate to the nature and function of the device; (2) Appropriate to the information it may collect, contain, or transmit; and (3) Designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.” Cal. Civ. Code § 1798.91.04(a). The statute offers, as an example of a reasonable security measure for devices that have “a means of authentication outside a local network,” either including a preprogrammed unique password assigned by the manufacturer, or requiring that the user establish a new password prior to first use. Cal. Civ. Code § 1798.91.04(b).”
Ambiguities in the New Statutory Security Standard:
The substantive security language is quite vague – there is no guidance or definition under state law regarding how the term “reasonable” is to be applied to specific security features. And, existing FTC precedent on reasonable security has focused on the need to establish a comprehensive security program, not on individual security features. See, e.g., the FTC’s guidance document on IOT, “Careful Connections: Building Security in the Internet of Things,” as well as FTC precedent, such as its proceedings against D-Link and TRENDnet. Moreover, under the law, the device manufacturer’s “reasonable” measures have to be “appropriate” to the device and the information it collects – yet another layer of ambiguity.
This vague new standard puts device manufacturers in a bind – in security, as in life, hindsight is always 20/20. No matter what security measures manufacturers use, if a significant security vulnerability is later revealed, those charged with enforcing the law could second-guess manufacturers’ decisions as to whether their security features were “reasonable” and “appropriate.”
Potentially Burdensome Enforcement Mechanism:
The requirements in the new law are not enforceable via a private right of action. Cal. Civ. Code § 1798.91.06(e). Instead, the California Attorney General and local government attorneys (city attorneys, county counsel, or district attorneys) have “exclusive authority” to enforce it. This limitation will insulate manufacturers from potentially severe monetary liability from class actions under this statute if a security problem arises. That said, California has hundreds of cities, counties, and judicial districts. As a result, a manufacturer of a device that turns out to have an exploitable security issue may face legal jeopardy on many fronts, even if the Attorney General, who is a statewide political officeholder with broad political accountability, might choose not to bring an action.
Existing Certification Processes Can Help Establish Diligence:
Several trusted third parties have developed certification standards for IOT devices. For instance, Underwriters Laboratory offers a comprehensive certification program that addresses more than just cybersecurity. Also, CTIA (the wireless industry’s association) recently announced a new cyber security certification program for cellular- and Wi-Fi-connected devices. Neither program is designed to identify or correct every security flaw in product design, software design, or code execution. Even so, these programs can help a company establish a baseline for reasonableness of its security choices, which could significantly help in the event of either a state or federal enforcement action – whether based on the new California law or otherwise. NIST also has several ongoing activities regarding IoT security; compliance with NIST-developed standards might also help establish “reasonableness” on the part of an IoT device manufacturer.
New Security Requirements:
The new law requires manufacturers of any “connected device” to implement “reasonable” security features. First, a “connected device” is “any device, or other physical object, that is capable of connecting to the Internet, directly or indirectly, and that is assigned an Internet Protocol address or Bluetooth address.” Cal. Civ. Code § 1798.91.05(b). The law thus covers most devices that wall fall under the “Internet of Things” rubric.1 Second, “reasonable” security features for IoT devices are ones that are: “(1) Appropriate to the nature and function of the device; (2) Appropriate to the information it may collect, contain, or transmit; and (3) Designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.” Cal. Civ. Code § 1798.91.04(a). The statute offers, as an example of a reasonable security measure for devices that have “a means of authentication outside a local network,” either including a preprogrammed unique password assigned by the manufacturer, or requiring that the user establish a new password prior to first use. Cal. Civ. Code § 1798.91.04(b).”
Ambiguities in the New Statutory Security Standard:
The substantive security language is quite vague – there is no guidance or definition under state law regarding how the term “reasonable” is to be applied to specific security features. And, existing FTC precedent on reasonable security has focused on the need to establish a comprehensive security program, not on individual security features. See, e.g., the FTC’s guidance document on IOT, “Careful Connections: Building Security in the Internet of Things,” as well as FTC precedent, such as its proceedings against D-Link and TRENDnet. Moreover, under the law, the device manufacturer’s “reasonable” measures have to be “appropriate” to the device and the information it collects – yet another layer of ambiguity.
This vague new standard puts device manufacturers in a bind – in security, as in life, hindsight is always 20/20. No matter what security measures manufacturers use, if a significant security vulnerability is later revealed, those charged with enforcing the law could second-guess manufacturers’ decisions as to whether their security features were “reasonable” and “appropriate.”
Potentially Burdensome Enforcement Mechanism:
The requirements in the new law are not enforceable via a private right of action. Cal. Civ. Code § 1798.91.06(e). Instead, the California Attorney General and local government attorneys (city attorneys, county counsel, or district attorneys) have “exclusive authority” to enforce it. This limitation will insulate manufacturers from potentially severe monetary liability from class actions under this statute if a security problem arises. That said, California has hundreds of cities, counties, and judicial districts. As a result, a manufacturer of a device that turns out to have an exploitable security issue may face legal jeopardy on many fronts, even if the Attorney General, who is a statewide political officeholder with broad political accountability, might choose not to bring an action.
Existing Certification Processes Can Help Establish Diligence:
Several trusted third parties have developed certification standards for IOT devices. For instance, Underwriters Laboratory offers a comprehensive certification program that addresses more than just cybersecurity. Also, CTIA (the wireless industry’s association) recently announced a new cyber security certification program for cellular- and Wi-Fi-connected devices. Neither program is designed to identify or correct every security flaw in product design, software design, or code execution. Even so, these programs can help a company establish a baseline for reasonableness of its security choices, which could significantly help in the event of either a state or federal enforcement action – whether based on the new California law or otherwise. NIST also has several ongoing activities regarding IoT security; compliance with NIST-developed standards might also help establish “reasonableness” on the part of an IoT device manufacturer.
FOOTNOTE
1 There are two notable exceptions to the application of the new law. First, it does not apply to devices whose functionality is “subject to security requirements under federal law, regulations, or guidance promulgated by a federal agency pursuant to its regulatory enforcement authority.” Cal. Civ. Code § 1798.91.06(d). Second, it does not apply to entities or devices covered by HIPAA or a parallel California statute. Cal. Civ. Code § 1798.91.06(h).