What's the True Impact of California's New IoT Law? - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Data Management // IoT
07:30 AM
Connect Directly

What's the True Impact of California’s New IoT Law?

While there are a few specifics that IoT manufacturers will have to adhere to, the remainder of the law is a bit fuzzy in terms of consequences.

When California Senate bill 327 passed in 2019, many hailed it as a major victory for the field of IoT device and data protection for not only California, but the rest of the nation as well.

Yet, on closer inspection, the newly enacted law may not have as much bite as many believe. While there are a few specifics that IoT manufacturers will have to adhere to, the remainder of the law is open to interpretation. Additionally, little is said regarding penalties for those companies that are found to be defying the rules.

Image: jamesteohart - stockadobe.com
Image: jamesteohart - stockadobe.com

To better understand the impact of SB 327, I reached out to Ashley Thomas, an associate at the law firm Morris Manning & Martin LLP in Washington D.C. Ashley specializes in technology transactions and cyber security compliance. When I asked why the bill was quite vague in terms of what manufacturers were required to do from an IoT data security perspective, Ashley said, “It helps provide the manufacturer with the flexibility they need to design and implement the cyber security features for their specific product. After all, the law broadly defines an IoT device as anything that can connect to the Internet and assigned an IP address or Bluetooth address. Additionally, given the rapid nature in how technology evolves, any specific requirement might be quickly outdated.”

While SB 327 does leave many details out of how the manufacturer is to provide “reasonable security” measures around exactly how devices are secure, the law does focus on a few “must-haves” from a compliance standpoint. For one, the use of preprogrammed passwords must be unique to each device -- and the device must require the user to immediately generate a new means of authentication prior to being granted access to the device configuration settings for the first time.

There is no mention of security patches or how long the manufacturer must protect against emerging security threats from an end-of-life or end-of-support perspective. The law only states that the level of security a device requires depends on what that device does. According to Ashley, this is one of those grey areas that she’d like to see bolstered in the future.

Another obvious omission in the bill revolves around any penalties that the California attorney general might hand out if a manufacturer is found to be not following the law. Ashley was quick to point out that the law does not outline any specific amount from a penalty perspective. “Nor does it offer a private right of action for the consumer. Meaning, the consumer cannot seek legal recourse under this law. However, consumers can use other laws in California to pursue legal action. For example, the consumer may be able to prove that harm was suffered under the States’ unfair and deceptive practices statute. Also, the new California Consumer Privacy Act (CCPA) has a private right of action avenue if the harm suffered was due to breaches of unencrypted or nonredacted data.”

While new IoT and data security laws are helping, Ashley still believes it’s up to the consumer to be the final judge and jury when it comes to choosing which IoT devices can and should reside on their network from a security perspective. “I think you need to evaluate the terms and conditions that a manufacturer outlines from a device and data security perspective. Also, be sure to really understand how the device is configured, what data it is collecting and where that data is going.”

In short, it’s business as usual when vetting IoT devices and manufacturers -- even with the newly enacted legislation.


Check out our other related articles on InformationWeek:

Enterprise Guide to Data Privacy

Enterprise Guide to Edge Computing

2020: A look Ahead

[Navigating the ever-changing data center industry is no easy feat. Data Center World is where you and your team can source and explore solutions, technologies and concepts you need to plan, manage and optimize your data center.  Join the IT industry at Data Center World, March 16-19, in San Antonio, TX.
Using the code IW100 will grant you $100 off a conference pass. Learn More Here.]


Andrew has well over a decade of enterprise networking under his belt through his consulting practice, which specializes in enterprise network architectures and datacenter build-outs and prior experience at organizations such as State Farm Insurance, United Airlines and the ... View Full Bio
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

Blockchain Gets Real Across Industries
Lisa Morgan, Freelance Writer,  7/22/2021
Seeking a Competitive Edge vs. Chasing Savings in the Cloud
Joao-Pierre S. Ruth, Senior Writer,  7/19/2021
How CIO Roles Will Change: The Future of Work
Jessica Davis, Senior Editor, Enterprise Apps,  7/1/2021
White Papers
Register for InformationWeek Newsletters
2021 State of ITOps and SecOps Report
2021 State of ITOps and SecOps Report
This new report from InformationWeek explores what we've learned over the past year, critical trends around ITOps and SecOps, and where leaders are focusing their time and efforts to support a growing digital economy. Download it today!
Current Issue
Monitoring Critical Cloud Workloads Report
In this report, our experts will discuss how to advance your ability to monitor critical workloads as they move about the various cloud platforms in your company.
Flash Poll