California’s New “Smart” Cybersecurity Law
Did you know that 20.4 billion Internet of Things (IoT) devices will be online by the end of this year? This technology, from wearables to home appliances, has become a big part of the personal and professional worlds.
The IoT is a natural evolution of the Internet, consisting of a range of new “smart” and “connected” products and technologies for the commercial, consumer, and government environments. In addition, on the consumer and office side, vendors are rushing to meet the growing market demand for new products that are always-on, connected, and available.
Unfortunately, aspects of product security and lifecycle are often treated as an afterthought at best in the development and production of these products. More and more of us are buying devices for our homes and offices, and even devices that we carry with us, that require a connection to the Internet. Have you stopped to consider the risks?
As these intranets of devices are ultimately connected to the internal and public Internets, new vectors to launch attacks against our important assets and networks are opened up to adversaries and hackers. That’s why California has recently put new legislation in place to make smart devices more secure.
Understanding California’s New Smart Security Legislation
The good news is that, unless you manufacture smart devices (i.e., you’re “the person who manufactures, or contracts with another person to manufacture on the person’s behalf, connected devices that are sold or offered for sale in California”) then you don’t have to worry about complying with this law.
This legislation requires those manufacturing such devices (not end users) to make sure they have “reasonable security feature or features” that must be “appropriate to the nature and function of the device [and] the information it may collect, contain, or transmit.”
That said, the following measures offer safe harbors for manufacturers:
- The preprogrammed password is unique to each device manufactured
- The device contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time.
What Does This New Legislation Mean For You?
As a business owner, at worst, this legislation will only improve the security standards in place for any new smart technology you invest in. While the legislation is rather vague and will require the California attorney general or a city attorney, county counsel, or district attorney to enforce it, it will likely help to promote a higher level of security in what has so far been a rather unregulated area of technology.