California IoT Security Law: A Nearsighted, Toothless Guard Dog or a Wolf in Sheep’s Clothing?

With three new sections added to the California Civil Code, California became the first U.S. state with a cybersecurity law specifically for internet-connected devices on September 28, 2018. The new Security of Connected Devices law will take effect on January 1, 2020.

The Basics

The new law requires manufacturers of connected devices to equip the devices with reasonable security features that are:

1. appropriate to the nature and function of the device;
2. appropriate to the information it may collect, contain or transmit; and
3. Designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification or disclosure. (Cal. Civ. Code §1798.91.04(a))

A connected device is any device capable of connecting to the Internet, directly or indirectly that is assigned an Internet Protocol address or Bluetooth address (§1798.91.05(b)) Manufacturers include anyone who manufactures (or contracts with a third party to manufacture) connected devices that are sold or offered for sale in California (§1798.91.05(c)). The law has a number of exceptions and carveouts, including the following:

• Device manufacturers are not responsible for unaffiliated third-party software or applications that a user chooses to add to a connected device (§1798.91.06(a)); however, unaffiliated is not defined. If a manufacturer has a third-party compatibility certification program like the Amazon Connected Device Certification program, is the certified third-party software or application still unaffiliated?
• The law does not require importers or physical resellers (§1798.91.05(c)) or virtual resellers (§1798.91.06(b)) to review devices for compliance or to enforce compliance.
• The law does not apply to devices subject to federal security regulations or to entities subject to HIPAA or the California Confidentiality of Medical Information Act (§§1798.91.06(d) and (h)).

Nearsighted?

Robert Graham of Errata Security argues that the law reflects a superficial and erroneous understanding of cybersecurity. For example, Graham describes how security risks in some connected devices may be better addressed by removing features (such as removing listening ports) than by adding security features such as firewalls, encryption or automated patching. Graham suggests that security will be improved not through incremental “security features” but through improved security-by-design as well as timely identification, disclosure and remediation of security issues.

Toothless?

The law has three significant enforcement limitations:

• There is no private right of action (§1798.91.06(e)). The law can only be enforced by the California Attorney General, a county counsel or a district attorney.
• The law does not define any penalties.
• Since importers and resellers are not responsible for compliance, the law will only be enforceable against foreign or out-of-state manufacturers to the extent the California courts find personal jurisdiction over them.

A Wolf in Sheep’s Clothing?

The definition of connected device is not limited to consumer or personal devices. It applies to all connected devices unless the device falls within a specific exclusion (such as devices regulated by federal security requirements or HIPAA). If you manufacture connected devices, what guidance does the law provide regarding what security features are reasonable and appropriate? You might be comforted by Section 1798.91.05(b), which states that: Subject to all of the requirements of subdivision (a), if a connected device is equipped with a means for authentication outside of a local area network, it shall be deemed a reasonable security feature under subdivision (a) if either of the following requirements are met:

1. The preprogrammed password is unique to each device manufactured.
2. The device contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time.

That almost sounds like a safe harbor – use unique passwords or user-generated passwords for all of your device’s authentication processes, and your device will meet the “reasonable security feature” requirement. Unfortunately, that overlooks the preface: “Subject to all of the requirements of subdivision (a)…”. So what we have is meaningless, circular guidance -- if you have reasonable security features that are (a) appropriate to the nature and function of the device; (b) appropriate to the information that is collected, contained or transmitted; (c) designed to protect the device and information from unauthorized access, destruction, use, modification or disclosure; and (d) the device’s external authentication processes use unique passwords or user-generated passwords, then your device has reasonable security features. As has happened with the evolution of the “reasonability” standard in FTC cybersecurity enforcement actions, the definitions of reasonable and appropriate will be defined incrementally with each new data breach case using 20/20 hindsight. Based on what we know after the breach, were the manufacturer’s design and implementation decisions reasonable at the time the device was manufactured? This law is very broad and vague, and it doesn’t necessarily provide an effective solution for increasing security of rapidly-changing technology. Like many new products, this first-of-its-kind state law has a number of serious issues. Will the law’s “manufacturers” provide an updated version 2 to address the limitations in version 1?