When California Senate bill 327 passed in 2019, many hailed it as a major victory for the field of IoT device and data protection for not only California, but the rest of the nation as well.
Yet, on closer inspection, the newly enacted law may not have as much bite as many believe. While there are a few specifics that IoT manufacturers will have to adhere to, the remainder of the law is open to interpretation. Additionally, little is said regarding penalties for those companies that are found to be defying the rules.
To better understand the impact of SB 327, I reached out to Ashley Thomas, an associate at the law firm Morris Manning & Martin LLP in Washington D.C. Ashley specializes in technology transactions and cyber security compliance. When I asked why the bill was quite vague in terms of what manufacturers were required to do from an IoT data security perspective, Ashley said, “It helps provide the manufacturer with the flexibility they need to design and implement the cyber security features for their specific product. After all, the law broadly defines an IoT device as anything that can connect to the Internet and assigned an IP address or Bluetooth address. Additionally, given the rapid nature in how technology evolves, any specific requirement might be quickly outdated.”
While SB 327 does leave many details out of how the manufacturer is to provide “reasonable security” measures around exactly how devices are secure, the law does focus on a few “must-haves” from a compliance standpoint. For one, the use of preprogrammed passwords must be unique to each device -- and the device must require the user to immediately generate a new means of authentication prior to being granted access to the device configuration settings for the first time.
There is no mention of security patches or how long the manufacturer must protect against emerging security threats from an end-of-life or end-of-support perspective. The law only states that the level of security a device requires depends on what that device does. According to Ashley, this is one of those grey areas that she’d like to see bolstered in the future.
Another obvious omission in the bill revolves around any penalties that the California attorney general might hand out if a manufacturer is found to be not following the law. Ashley was quick to point out that the law does not outline any specific amount from a penalty perspective. “Nor does it offer a private right of action for the consumer. Meaning, the consumer cannot seek legal recourse under this law. However, consumers can use other laws in California to pursue legal action. For example, the consumer may be able to prove that harm was suffered under the States’ unfair and deceptive practices statute. Also, the new California Consumer Privacy Act (CCPA) has a private right of action avenue if the harm suffered was due to breaches of unencrypted or nonredacted data.”
While new IoT and data security laws are helping, Ashley still believes it’s up to the consumer to be the final judge and jury when it comes to choosing which IoT devices can and should reside on their network from a security perspective. “I think you need to evaluate the terms and conditions that a manufacturer outlines from a device and data security perspective. Also, be sure to really understand how the device is configured, what data it is collecting and where that data is going.”
In short, it’s business as usual when vetting IoT devices and manufacturers -- even with the newly enacted legislation.
Check out our other related articles on InformationWeek:
[Navigating the ever-changing data center industry is no easy feat. Data Center World is where you and your team can source and explore solutions, technologies and concepts you need to plan, manage and optimize your data center. Join the IT industry at Data Center World, March 16-19, in San Antonio, TX.
Using the code IW100 will grant you $100 off a conference pass. Learn More Here.]