2020 will see a new California cybersecurity law take effect which is expected to serve as a template for future legislation. What does it mean for businesses that rely on IoT devices?
In September 2018, California became the first state to pass legislation protecting the security of connected devices. Senate Bill No. 327 defines a connected device as an object capable of an Internet connection and assigned either an IP or Bluetooth address. There are currently over 26 billion connected devices worldwide; a figure set to exceed 30 billion next year.
Every one of those could fall victim to hacks like the Mirai botnet attack which crippled the Internet on the east coast. SB-327 attempts to be a first step in patching these vulnerabilities and will take effect on January 1, 2020. The bill is aimed at manufacturers of connected devices, who will be legally required to equip their products with reasonable security measures suited to the device and its purpose.
This law predates federal legislation on security for IoT devices, and it’s not the first time California has paved the way for tighter cybersecurity. The state passed the tough California Consumer Privacy Act of 2018 in June of that year and it’s also set to take effect in 2020.
How might SB-327 affect national policy and what will businesses have to do to comply?
What manufacturers will have to do in the future
Any business which manufactures (or contracts with a manufacturer) to offer or sell connected devices in California will have to provide the following security measures:
- Measures appropriate to the function and nature of the device, and designed to protect the information it collects, contains, and transmits
- Protection against any unauthorized access to the device which may compromise its data by use, modification, disclosure, or destruction
- Devices connected to local area networks must have either a preprogrammed password that is unique to that device or a feature requiring users to generate a new form of authentication before access is granted for the first time
These measures apply only to the device itself. Manufacturers won’t be held liable for security breaches caused by third-party apps/software downloaded by users.
This is fair for the manufacturer whose only responsibility is the base product, but it could well be the loophole in SB-327 that a cybercriminal is looking for. The bill dictates that users must retain full control over their device and be able to add or modify software or firmware as they see fit. An owner could download an infected file or make system changes which let criminals in.
This may be why law enforcers will have greater powers under SB-327. In the event of a device being compromised or abused, the bill’s security measures won’t prevent law enforcement obtaining device information. This means manufacturers will have to cooperate with requests from the police or government agencies, putting an end (at least in California) to the kind of controversial stonewalling Apple has used on law enforcement agencies in the past.
How the SB-327 is being received
The Washington Post reports that certain individuals in the cybersecurity community aren’t impressed by SB-327. Some saw the bill’s terms as ambiguous and its enforcement too ill-defined; refer to the call to add features instead of removing insecure ones wishful “‘magic pill’ or ‘silver bullet’ thinking;” or argue that the law will only protect against the most rudimentary threats.
Others are more optimistic and acknowledged that while the bill wasn’t perfect, it was a much-needed first step into new security territory.
In order to speculate on SB-327’s future, it’s wise to consider how its predecessor, the California, Consumer Privacy Act of 2018 (CCPA), is currently making waves.
The challenges of the Consumer Privacy Act—and what it and SB-327 could mean nationally
California’s Attorney General isn’t optimistic that the Consumer Privacy Act will truly get off the ground, despite its imminent deadline for going into effect. He argues that the demand for the new rights it affords from the state’s 40 million citizens is something that may sink the law “under its own weight.”
Contrary to the Attorney General’s views, others who supported the Consumer Privacy Act cited California’s status as the most populous state as a reason why the legislation will work. This many people clamoring for change should send a nationwide message.
Predicting that the CCPA and SB-327 will have nationwide influence is a legitimate view, given that nine other states are now considering their own version of the Consumer Privacy Act. And the CCPA already extends beyond California because it applies to organizations anywhere in America that do business in the state.
Privacy is a valuable commodity—for both the individuals who seek to protect it and the companies who can profit from exploiting it. Businesses that consider ignoring SB-327 will be dissuaded by the kind of punishments already in place for breaking the Consumer Privacy Act—up to $2,500 per violation or $7,500 if that violation was intentional.
It’s reasonable to assume that both SB-327 and its predecessor will become the new-normal nationwide, as more state and federal laws follow that increase cybersecurity and data privacy.
Cyberguard360 guides our clients safely through the threat landscape. Our wide array of services includes system security suites, risk assessment, education, training, and disaster recovery. Call 844-315-9882 or reach us through our contact form.