Much of the business world has been focusing on ensuring it is compliant with California’s tough Consumer Privacy Act (CCPA) that took effect Jan. 1, 2020. Far less attention has been paid to a second law enacted by the state legislature that came into force at the same time regulating the data security of connected “smart” devices.
Called the IoT law, the far-reaching act covers everything from connected bathroom scales and fitness trackers to printers, major appliances and some GPS devices. About the only products exempt from California’s rules are those regulated by federal law, such as medical devices covered by the FDA and vehicles that come under the purview of the National Highway and Transportation Safety Act.
Like CCPA, California’s IoT law covers California residents and households regardless of where the manufacturer is based or when an item is actually made. But because of the state’s huge population and massive economic impact – by some estimates, California is the world’s fifth-largest economy – in many respects its IoT law became a national law.
Complying with the IoT Law
For the first time, IoT devices must have what the legislation calls “reasonable” security features that are appropriate to the nature of the device, and the information being collected, transmitted and stored, and are intended to protect both the device and its information from unauthorized access, use, modification, disclosure or destruction.
The law doesn’t actually define what a “reasonable” security feature might be other than if it can be accessed outside of a home’s local network – a basic function of any consumer-focused IoT device. Each must have a unique password, and the requirement for users to be able to create their own method of authenticating before access to the device is allowed the first time it is used.
As a result, businesses making and selling smart IoT devices need to review and reconsider what information is being collected and how it is used. The law repeatedly refers specifically to traditional household items, such as microwaves and children’s toys, which often have the ability to collect more data than is really needed to function properly.
In the legislative report that accompanied the law, the Assembly referred to a smart doll with Bluetooth that allowed the doll to talk with kids. It prompted children to provide all sorts of irrelevant information, such as their addresses and the names of their schools. A hacker could use this data to do all sorts of horrible things to vulnerable children.
As yet another related example, a business owner in Buffalo, New York, complained on LinkedIn when she discovered to her horror that her Google Home Assistant began recommending nursery rhymes to her two-year-old when the child asked for her favorite song to be played. The woman said she disconnected the device immediately and now only plays music to the little girl from a computer. Given Google’s history, she worried about what third-parties had purchased the information about her daughter and the family.
California legislators also referred to the ability of malware to spread across a network of IoT devices simply because a user made dinner.
So, manufacturers of connected devices need to take into account the potential of a virus, malware or ransomware spreading across its network.
It is not difficult to do. A researcher hacked into his own smart insulin pump. This allowed him to control the amount and frequency his insulin was delivered. A lethal dose could be delivered remotely by a hacker.
A Need to be Proactive
All companies making and selling any sort of consumer-focused smart devices need to be proactive in addressing the security issues inherent in their product.
If a device is hacked and the data stolen or misused, one of the strong defenses against a complaint filed by the state after a security incident would be that the business took “reasonable steps” – the wording in the legislation – to prevent it from happening. This makes ensuring the safety of an IoT device the responsibility of the CEO and the board.
As data security and privacy attorneys, we are tracking the growing expansion of state legislation designed to protect consumers and their families. We are also following the progress of proposed federal legislation as various bills move through House subcommittees.
If you are in senior management as an executive or general counsel and have questions about what you need to do to comply with California’s IoT security law, feel free to contact us. We will be happy to share with you ideas on how to stay in compliance.