What's the True Impact of California's New IoT Law? - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Data Management // IoT
Commentary
1/31/2020
07:30 AM
Connect Directly
Twitter
LinkedIn
Google+
RSS
50%
50%

What's the True Impact of California’s New IoT Law?

While there are a few specifics that IoT manufacturers will have to adhere to, the remainder of the law is a bit fuzzy in terms of consequences.

When California Senate bill 327 passed in 2019, many hailed it as a major victory for the field of IoT device and data protection for not only California, but the rest of the nation as well.

Yet, on closer inspection, the newly enacted law may not have as much bite as many believe. While there are a few specifics that IoT manufacturers will have to adhere to, the remainder of the law is open to interpretation. Additionally, little is said regarding penalties for those companies that are found to be defying the rules.

Image: jamesteohart - stockadobe.com
Image: jamesteohart - stockadobe.com

To better understand the impact of SB 327, I reached out to Ashley Thomas, an associate at the law firm Morris Manning & Martin LLP in Washington D.C. Ashley specializes in technology transactions and cyber security compliance. When I asked why the bill was quite vague in terms of what manufacturers were required to do from an IoT data security perspective, Ashley said, “It helps provide the manufacturer with the flexibility they need to design and implement the cyber security features for their specific product. After all, the law broadly defines an IoT device as anything that can connect to the Internet and assigned an IP address or Bluetooth address. Additionally, given the rapid nature in how technology evolves, any specific requirement might be quickly outdated.”

While SB 327 does leave many details out of how the manufacturer is to provide “reasonable security” measures around exactly how devices are secure, the law does focus on a few “must-haves” from a compliance standpoint. For one, the use of preprogrammed passwords must be unique to each device -- and the device must require the user to immediately generate a new means of authentication prior to being granted access to the device configuration settings for the first time.

There is no mention of security patches or how long the manufacturer must protect against emerging security threats from an end-of-life or end-of-support perspective. The law only states that the level of security a device requires depends on what that device does. According to Ashley, this is one of those grey areas that she’d like to see bolstered in the future.

Another obvious omission in the bill revolves around any penalties that the California attorney general might hand out if a manufacturer is found to be not following the law. Ashley was quick to point out that the law does not outline any specific amount from a penalty perspective. “Nor does it offer a private right of action for the consumer. Meaning, the consumer cannot seek legal recourse under this law. However, consumers can use other laws in California to pursue legal action. For example, the consumer may be able to prove that harm was suffered under the States’ unfair and deceptive practices statute. Also, the new California Consumer Privacy Act (CCPA) has a private right of action avenue if the harm suffered was due to breaches of unencrypted or nonredacted data.”

While new IoT and data security laws are helping, Ashley still believes it’s up to the consumer to be the final judge and jury when it comes to choosing which IoT devices can and should reside on their network from a security perspective. “I think you need to evaluate the terms and conditions that a manufacturer outlines from a device and data security perspective. Also, be sure to really understand how the device is configured, what data it is collecting and where that data is going.”

In short, it’s business as usual when vetting IoT devices and manufacturers -- even with the newly enacted legislation.

 

Check out our other related articles on InformationWeek:

Enterprise Guide to Data Privacy

Enterprise Guide to Edge Computing

2020: A look Ahead

[Navigating the ever-changing data center industry is no easy feat. Data Center World is where you and your team can source and explore solutions, technologies and concepts you need to plan, manage and optimize your data center.  Join the IT industry at Data Center World, March 16-19, in San Antonio, TX.
Using the code IW100 will grant you $100 off a conference pass. Learn More Here.]

 

Andrew has well over a decade of enterprise networking under his belt through his consulting practice, which specializes in enterprise network architectures and datacenter build-outs and prior experience at organizations such as State Farm Insurance, United Airlines and the ... View Full Bio
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
News
The State of Chatbots: Pandemic Edition
Jessica Davis, Senior Editor, Enterprise Apps,  9/10/2020
Commentary
Deloitte on Cloud, the Edge, and Enterprise Expectations
Joao-Pierre S. Ruth, Senior Writer,  9/14/2020
Slideshows
Data Science: How the Pandemic Has Affected 10 Popular Jobs
Cynthia Harvey, Freelance Journalist, InformationWeek,  9/9/2020
White Papers
Register for InformationWeek Newsletters
2020 State of DevOps Report
2020 State of DevOps Report
Download this report today to learn more about the key tools and technologies being utilized, and how organizations deal with the cultural and process changes that DevOps brings. The report also examines the barriers organizations face, as well as the rewards from DevOps including faster application delivery, higher quality products, and quicker recovery from errors in production.
Video
Current Issue
IT Automation Transforms Network Management
In this special report we will examine the layers of automation and orchestration in IT operations, and how they can provide high availability and greater scale for modern applications and business demands.
Slideshows
Flash Poll