The BasicsThe new law requires manufacturers of connected devices to equip the devices with reasonable security features that are:
- appropriate to the nature and function of the device;
- appropriate to the information it may collect, contain or transmit; and
- Designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification or disclosure. (Cal. Civ. Code §1798.91.04(a))
- Device manufacturers are not responsible for unaffiliated third-party software or applications that a user chooses to add to a connected device (§1798.91.06(a)); however, unaffiliated is not defined. If a manufacturer has a third-party compatibility certification program like the Amazon Connected Device Certification program, is the certified third-party software or application still unaffiliated?
- The law does not require importers or physical resellers (§1798.91.05(c)) or virtual resellers (§1798.91.06(b)) to review devices for compliance or to enforce compliance.
- The law does not apply to devices subject to federal security regulations or to entities subject to HIPAA or the California Confidentiality of Medical Information Act (§§1798.91.06(d) and (h)).
Nearsighted?Robert Graham of Errata Security argues that the law reflects a superficial and erroneous understanding of cybersecurity. For example, Graham describes how security risks in some connected devices may be better addressed by removing features (such as removing listening ports) than by adding security features such as firewalls, encryption or automated patching. Graham suggests that security will be improved not through incremental “security features” but through improved security-by-design as well as timely identification, disclosure and remediation of security issues.
Toothless?The law has three significant enforcement limitations:
- There is no private right of action (§1798.91.06(e)). The law can only be enforced by the California Attorney General, a county counsel or a district attorney.
- The law does not define any penalties.
- Since importers and resellers are not responsible for compliance, the law will only be enforceable against foreign or out-of-state manufacturers to the extent the California courts find personal jurisdiction over them.
A Wolf in Sheep’s Clothing?The definition of connected device is not limited to consumer or personal devices. It applies to all connected devices unless the device falls within a specific exclusion (such as devices regulated by federal security requirements or HIPAA). If you manufacture connected devices, what guidance does the law provide regarding what security features are reasonable and appropriate? You might be comforted by Section 1798.91.05(b), which states that: Subject to all of the requirements of subdivision (a), if a connected device is equipped with a means for authentication outside of a local area network, it shall be deemed a reasonable security feature under subdivision (a) if either of the following requirements are met:
- The preprogrammed password is unique to each device manufactured.
- The device contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time.