What's the True Impact of California's New IoT Law? - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Data Management // IoT
Commentary
1/31/2020
07:30 AM
Connect Directly
Twitter
LinkedIn
Google+
RSS
50%
50%

What's the True Impact of California’s New IoT Law?

While there are a few specifics that IoT manufacturers will have to adhere to, the remainder of the law is a bit fuzzy in terms of consequences.

When California Senate bill 327 passed in 2019, many hailed it as a major victory for the field of IoT device and data protection for not only California, but the rest of the nation as well.

Yet, on closer inspection, the newly enacted law may not have as much bite as many believe. While there are a few specifics that IoT manufacturers will have to adhere to, the remainder of the law is open to interpretation. Additionally, little is said regarding penalties for those companies that are found to be defying the rules.

Image: jamesteohart - stockadobe.com
Image: jamesteohart - stockadobe.com

To better understand the impact of SB 327, I reached out to Ashley Thomas, an associate at the law firm Morris Manning & Martin LLP in Washington D.C. Ashley specializes in technology transactions and cyber security compliance. When I asked why the bill was quite vague in terms of what manufacturers were required to do from an IoT data security perspective, Ashley said, “It helps provide the manufacturer with the flexibility they need to design and implement the cyber security features for their specific product. After all, the law broadly defines an IoT device as anything that can connect to the Internet and assigned an IP address or Bluetooth address. Additionally, given the rapid nature in how technology evolves, any specific requirement might be quickly outdated.”

While SB 327 does leave many details out of how the manufacturer is to provide “reasonable security” measures around exactly how devices are secure, the law does focus on a few “must-haves” from a compliance standpoint. For one, the use of preprogrammed passwords must be unique to each device -- and the device must require the user to immediately generate a new means of authentication prior to being granted access to the device configuration settings for the first time.

There is no mention of security patches or how long the manufacturer must protect against emerging security threats from an end-of-life or end-of-support perspective. The law only states that the level of security a device requires depends on what that device does. According to Ashley, this is one of those grey areas that she’d like to see bolstered in the future.

Another obvious omission in the bill revolves around any penalties that the California attorney general might hand out if a manufacturer is found to be not following the law. Ashley was quick to point out that the law does not outline any specific amount from a penalty perspective. “Nor does it offer a private right of action for the consumer. Meaning, the consumer cannot seek legal recourse under this law. However, consumers can use other laws in California to pursue legal action. For example, the consumer may be able to prove that harm was suffered under the States’ unfair and deceptive practices statute. Also, the new California Consumer Privacy Act (CCPA) has a private right of action avenue if the harm suffered was due to breaches of unencrypted or nonredacted data.”

While new IoT and data security laws are helping, Ashley still believes it’s up to the consumer to be the final judge and jury when it comes to choosing which IoT devices can and should reside on their network from a security perspective. “I think you need to evaluate the terms and conditions that a manufacturer outlines from a device and data security perspective. Also, be sure to really understand how the device is configured, what data it is collecting and where that data is going.”

In short, it’s business as usual when vetting IoT devices and manufacturers -- even with the newly enacted legislation.

 

Check out our other related articles on InformationWeek:

Enterprise Guide to Data Privacy

Enterprise Guide to Edge Computing

2020: A look Ahead

[Navigating the ever-changing data center industry is no easy feat. Data Center World is where you and your team can source and explore solutions, technologies and concepts you need to plan, manage and optimize your data center.  Join the IT industry at Data Center World, March 16-19, in San Antonio, TX.
Using the code IW100 will grant you $100 off a conference pass. Learn More Here.]

 

Andrew has well over a decade of enterprise networking under his belt through his consulting practice, which specializes in enterprise network architectures and datacenter build-outs and prior experience at organizations such as State Farm Insurance, United Airlines and the ... View Full Bio
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Commentary
Who Should Own RPA?
Lisa Morgan, Freelance Writer,  2/18/2020
Commentary
IT Salary Report 2020: Get Paid What You Are Worth
Jessica Davis, Senior Editor, Enterprise Apps,  2/12/2020
Slideshows
10 Analytics and AI Startups You Should Know About
Cynthia Harvey, Freelance Journalist, InformationWeek,  2/19/2020
White Papers
Register for InformationWeek Newsletters
State of the Cloud
State of the Cloud
Cloud has drastically changed how IT organizations consume and deploy services in the digital age. This research report will delve into public, private and hybrid cloud adoption trends, with a special focus on infrastructure as a service and its role in the enterprise. Find out the challenges organizations are experiencing, and the technologies and strategies they are using to manage and mitigate those challenges today.
Video
Current Issue
IT Careers: Tech Drives Constant Change
Advances in information technology and management concepts mean that IT professionals must update their skill sets, even their career goals on an almost yearly basis. In this IT Trend Report, experts share advice on how IT pros can keep up with this every-changing job market. Read it today!
Slideshows
Flash Poll