California is once again poised to set the standard for privacy and data security by enacting the first state law directed at securing Internet of Things (IoT) devices. The law has passed the state legislature and is awaiting the signature of Governor Jerry Brown. It requires manufacturers of “connected devices” to equip them with “a reasonable security feature or features” that are:
- appropriate to the nature and function of the device;
- appropriate to the information the device may collect, contain or transmit; and
- designed to protect the device and any information contained in it from unauthorized access, destruction, use, modification, or disclosure.
The law further provides that if a connected device is equipped with a means for authentication outside a local area network, it shall be deemed a “reasonable security feature” if the preprogrammed password is either unique to each device or the device contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time.
The law defines “authentication” as “a method of verifying the authority of a user, process, or device to access resources in an information system.” It defines “connected device” as “any device, or other physical object that is capable of connecting to the internet, directly or indirectly, and that is assigned an Internet Protocol address or Bluetooth address.” “Manufacturer” is defined as “the person who manufactures, or contracts with another person to manufacture on the person’s behalf, connected devices that are sold or offered for sale in California.”
Notably, the law exempts certain activities from its requirements. For example, it does not impose a “duty upon the manufacturer of a connected device related to unaffiliated third-party software or applications that a user chooses to add to a connected device.” It also does not apply “to any connected device the functionality of which is subject to security requirements under federal law, regulations, or guidance promulgated by a federal agency pursuant to its regulatory enforcement authority.” And the law exempts HIPAA covered entities and business associates to the extent the activity in question is covered by that act.
Importantly, the law states that it does not create a private right of action and vests enforcement authority solely with the California Attorney General’s Office, a city attorney, a county counsel, or a district attorney.
California law also already requires businesses to notify affected individuals if the business experiences a data breach and allows for a private right of action. The newly enacted California Consumer Privacy Act of 2018 also provides for not only a private right of action for certain data breaches, but also for statutory damages of between $100 and $750 per consumer per incident. Therefore, the new law fits into a broader statutory landscape that IoT manufacturers should be aware of and should take steps to mitigate the risk of litigation. That is particularly true given that plaintiffs’ lawyers have publicly stated that they are preparing for an onslaught of IoT-related litigation.
The Senate Floor Analysis explained that the law is necessary because many IoT devices “collect a vast amount of personal and intimate information” which, if not properly secured, can be vulnerable to breaches. Further, many IoT devices “can be directly hacked into, allowing strangers to conduct surreptitious surveillance on homes or to communicate through devices directly.”
The law was enacted contemporaneously in both the California Senate and Assembly. It takes effect on January 1, 2020.