California recently became the first state in the union to pass a cybersecurity law addressing "smart" devices and Internet of Things (IoT) technology. The term IoT generally refers to anything connected to the internet, including smart home devices (e.g., Amazon's Alexa, NEST thermostats, etc.). The new bill, SB-327, was introduced last year, passed the Senate in late August, was signed by the governor in September, and will go into effect January 1, 2020.

Below is a summary of California's new law and some takeaways for IoT device manufacturers as they move toward January 1, 2020 compliance.

Core Security Obligation

The new law addresses the security obligations of "manufacturers" of connected devices. "Manufacturer" is defined under the new law as "the person who manufacturers, or contracts with another person to manufacture on the person's behalf, connected devices that are sold or offered for sale in California." (Civ. Code § 1798.91.05(c)) The new law therefore impacts manufacturers outside of California.

Under the new law, a covered "manufacturer" of a connected device must equip the device with a "reasonable security feature or features" that are:

  • "Appropriate to the nature and function of the device[;]"
  • "Appropriate to the information it may collect, contain, or transmit[;]" and
  • "Designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure." (Civ. Code § 1798.91.04(a)(2)-(3))

The phrase "security feature" is defined as a "feature of a device designed to provide security for that device." (Civ. Code § 1798.91.05(d)) The phrase "unauthorized access, destruction use, modification, or disclosure" is defined to mean "access, destruction, use, modification, or disclosure that is not authorized by the consumer." (Civ. Code § 1798.91.05(e))

If the device is equipped with a "means for authentication outside a local area network, it shall be deemed a reasonable security feature" if either of the following security requirements are met:

  • The reprogrammed password is unique to each device manufactured[;] or
  • The device contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time. (Civ. Code § 1798.91.04(b)(1)-(2))

Takeaways

  • Manufacturers Are Not Responsible For User Choices Or Third Party App Providers The new law makes clear that a covered manufacturer will not be responsible for unaffiliated third-party software or applications that a user chooses to add to a connected device. (Civ. Code § 1798.91.06(a)) Manufacturers are also not required to prevent a user from having full control over a connected device, including the ability to modify the software or firmware running on the device at the user's discretion. (Civ. Code § 1798.91.06(c)) Finally, the law imposes no obligations on the provider of any "electronic store, gateway, marketplace, or other means of purchasing or downloading software or applications[.]" (Civ. Code § 1798.91.06(b))
  • Medical Devices Are Likely Excluded The new law states that it does not apply to any connected device the functionality of which is subject to security requirements under federal law, regulations, or guidance promulgated by a federal agency pursuant to its regulatory enforcement authority. (Civ. Code § 1798.91.06(d)) This would ostensibly include connected medical devices that are regulated by the U.S. Food and Drug Administration (FDA). Since 2014, the FDA has issued guidance governing the cybersecurity requirements for regulated medical devices.
  • No Private Right of Action The new law makes clear that there will be no private right of action. "The Attorney General, a city attorney, a county counsel, or a district attorney shall have the exclusive authority to enforce this title." (Civ. Code § 1798.91.06(e))
  • HIPAA Exception The new law excludes a covered entity, provider of health care, business associate, health care service plan, contractor, employer, or any other person subject to HIPAA or the Confidentiality of Medical Information Act with "respect to any activity regulated by those acts." (Civ. Code § 1798.91.06(h))
  • Risk Assessments Are Key As with most new cybersecurity laws, the most prudent course of action until the law enters into effect is to conduct a risk assessment of current products subject to the law, and to determine what security measures are in place. These security measures can be measured against appropriate industry standards, including the cybersecurity frameworks promulgated by the National Institute for Standards and Technology (NIST) and the International Standards Organization (ISO). Until there is more enforcement guidance or action taken with respect to this new law, or until the new law is amended before its January 1, 2010 enforcement date, what will be deemed "appropriate" under the new law remains an open question.

For more information, visit our Privacy and Cybersecurity blog at www.privacyandcybersecuritylaw.com

About Dentons

Dentons is the world's first polycentric global law firm. A top 20 firm on the Acritas 2015 Global Elite Brand Index, the Firm is committed to challenging the status quo in delivering consistent and uncompromising quality and value in new and inventive ways. Driven to provide clients a competitive edge, and connected to the communities where its clients want to do business, Dentons knows that understanding local cultures is crucial to successfully completing a deal, resolving a dispute or solving a business challenge. Now the world's largest law firm, Dentons' global team builds agile, tailored solutions to meet the local, national and global needs of private and public clients of any size in more than 125 locations serving 50-plus countries. www.dentons.com

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances. Specific Questions relating to this article should be addressed directly to the author.