California likes to be leading the way when it comes to digital regulation. Just a few weeks ago it passed legislation that looks like it could restore net neutrality. Now, a bill designed to tighten IoT security, is with the governor awaiting signature for it to be carried into California state law.
The bill, SB-327 Information privacy: connected devices, was initially introduced in February 2017 by Senator Jackson. It was the first legislation of its kind in the US. Approved at the end of August, it will come into effect at the start of 2020 once signed by Governor Jerry Brown.
What California’s IoT bill states
The new IoT security bill covers another of important areas. For example, for manufacturers, IoT devices will need to contain certain safety and security features:
- Security should be appropriate to the nature and function of the device.
- The feature should be appropriate to the information an IoT may collect, contain, or transmit.
- It should be designed to protect the device and information within it from unauthorized access, destruction, use, modification, or disclosure.
If an IoT device is requires authentication over the internet, further conditions need to be met, such as:
- The preset password must be unique to each device that is manufactured.
- The device must ask the user to generate a new authentication method before being able to use it for the first time.
It’s worth noting that the points mentioned above for IoT security are not applicable to IoT devices that are subject to security requirements under federal law. Also a covered entity like a health care provider, business associate, contractor, or employer subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) or the Confidentiality of Medical Information Act is exempt from the title points mentioned.
The IoT is a network of several of devices that connect to the internet via Wi-Fi. They are not openly visible as most of them are used in a local network but often do not have many security measures. The bill doesn’t have any exact definitions for a ‘reasonable security feature’ but provides a few guiding points in interest a user’s security.
The legislation states:
“This bill, beginning on January 1, 2020, would require a manufacturer of a connected device, as those terms are defined, to equip the device with a reasonable security feature or features that are appropriate to the nature and function of the device, appropriate to the information it may collect, contain, or transmit, and designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure, as specified.”
Criticisms of the IoT bill
Some cybersecurity experts have criticised the legislation. For example, Robert Graham writes on his Security Errarta blog that the bill is “based on a superficial understanding of cybersecurity/hacking that will do little improve security, while doing a lot to impose costs and harm innovation.”
He explains that “the point [of good cybersecurity practice] is not to add ‘security features’ but to remove ‘insecure features’.”
Graham’s criticisms underline that while the legislation might be well-intentioned, whether it will be impactful remains another matter. This is, at the very least, a step in the right direction by a state that is keen to take digital security and freedom into its own hands.
You can read the bill at the California Legislative information website.