California Enacts First U.S. Law Requiring IoT Cybersecurity

“Smart” devices have become common, if not pervasive, experiences of daily life.  Parents may monitor a baby’s heart rate and oxygen levels through sensor enabled baby socks.  Businesses may equip fleet drivers with smart hats that measure alertness to monitor for accident-causing driver fatigue.  Yogis can utilize yoga clothing with integrated sensors that provides vibrating position correcting feedback to enhance their practice and experience completely virtual guided yoga.  Beachgoers can monitor UV exposure through integrated monitoring sensors in their swimsuits.  These types of devices comprise the Internet of Things (“IoT”) and may provide innovative solutions to collecting data that can be used to drive better decision making by companies or individuals.

The convenience of connected IoT devices comes with the inherent trade-off that such devices can be vulnerable to unauthorized access by third-parties, i.e. “hacks.”  Despite being marketed as a secure monitoring device, hackers were able to access SecurView baby monitors and post online hyperlinks of the live feeds from nearly 700 cameras.  In 2015, a group of researchers were able to remotely hijack a Jeep® SUV by exploiting a security vulnerability in the vehicle’s Controller Area Network (CAN bus), allowing the researchers to make the vehicle speed up, slow down and veer off the road.  In one of the most troubling examples of an IoT security vulnerability, in 2016 the FDA announced that St. Jude Medical’s implantable cardiac devices had vulnerabilities that could allow a hacker to access a device, providing a hacker with the ability to deplete the battery or administer incorrect pacing or shocks.

While we have typically witnessed greater security in more expensive or more sophisticated devices, even these products have often had security as a secondary or tertiary priority. In short, while IoT technology may enhance users’ lives when used only as intended, it is important to be mindful of how such technology could be leveraged by malicious parties.

Historically, the U.S. has a relatively light regulatory scheme with respect to regulating IoT security.  However, beginning January 1, 2020, California state law will require manufacturers of Internet of Things (“IoT”) devices to equip such devices with “reasonable” security features that protect the device and any information it contains from unauthorized access, destruction, use, modification, or disclosure.  While “reasonable” can be difficult to assess, the new law specifically notes that if a connected device is equipped with a means for authentication outside a local area network, reasonable features would include (1) assigning unique preprogrammed passwords, and (2) security features that require a user to generate a new means of authentication before access is granted to the device for the first time.  Notably, once the California law goes into effect, it will be the first U.S. law to specifically regulate IoT cybersecurity.

Data breaches on IoT devices— even if it does not rise to the level of breaking a law— can have dire consequences if the data subjects feel the use of their personal information breaks some type of implied compact which can result in the erosion of goodwill. Accordingly, even before California’s IoT cybersecurity law officially goes into effect, IoT device manufacturers should be motivated to ensure they follow best practices with respect incorporating robust security and privacy considerations into the design of their devices.

Once the law goes into effect, this state law is likely to have the practical effect of having federal law significance; as the fifth largest economy in the world, with a $2.7 trillion economy, California’s consumer product regulations tend to set the de facto best practices, regardless of where the IoT developer or manufacturer is based or the data processed.