California IoT Legislations To Secure Devices – It may be hard to believe, but the California Consumer Privacy Act is not the only new law that will go into effect on Jan. 1, 2020. Rather, new laws in California and Oregon that regulate Internet of Things (IoT) devices will go into effect on that date as well. Below is an overview of those laws.
California
In September 2018, California became the first state to enact legislation directed at securing IoT devices. The California legislation requires “manufacturers” of “connected devices” to equip them with “a reasonable security feature or features”.
That are appropriate to the nature and function of the device, appropriate to the information the device may collect, contain or transmit; and designed to protect the device and any information contained in it from unauthorized access, destruction, use, modification or disclosure.
The law further provides that if a connected device is equipped with a means for authentication outside a local area network, it shall be deemed a “reasonable security feature” if the pre-programmed password is unique to each device or if the device contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time.
The law defines a “connected device” as “any device, or other physical object that is capable of connecting to the internet, directly or indirectly, and that is assigned an internet protocol address or Bluetooth address.”
It defines “manufacturer” as “the person who manufactures, or contracts with another person to manufacture on the person’s behalf, connected devices that are sold or offered for sale in California.”
RELATED: Code of Practice For The Internet of Things
Notably, the law exempts certain activities from its requirements. For example, it does not impose a “duty upon the manufacturer of a connected device related to unaffiliated third-party software or applications that a user chooses to add to a connected device.”
It also does not apply “to any connected device the functionality of which is subject to security requirements under federal law, regulations or guidance promulgated by a federal agency pursuant to its regulatory enforcement authority.” And the law exempts HIPAA-covered entities and business associates to the extent that the activity in question is covered by that act.
Oregon
Oregon’s legislation was modeled on California’s law and, therefore, shares many similarities. One notable difference is that Oregon’s legislation defines “connected device” to mean “a device or other physical object” that “connects, directly or indirectly, to the Internet and is used primarily for personal, family or household purposes” and “is assigned an internet protocol address or another address or number that identifies the connected device for the purpose of making a short-range wireless connection to another device.”
The inclusion of the phrase “used primarily for personal, family or household purposes” is a potentially significant limitation for IoT manufacturers.
The Oregon legislation also contains a different definition of “manufacturer,” stating that the term “means a person that makes a connected device and sells or offers to sell the connected device in this state.” In comparison, California’s law defines manufacturers to include any entity that “contracts with another person to manufacture [the connected device] on the person’s behalf.”