By Colin Dean
On September 28, California Governor Jerry Brown signed into law the nation’s first legislation setting cybersecurity standards for Web-connected “smart devices” – often referred to as the Internet of Things. The bill passed the California state senate in late August and is viewed by many industry experts as a potential precursor to similar legislation at the federal level.
The Internet of Things Has Arrived
The Internet of Things (“IoT”) at its basic level refers to the connecting of any electronic device to the Internet and/or to each other. More specifically, though, IoT refers to the ever-expanding network of “smart devices” that are able to automatically collect and exchange data using sensors embedded in the objects. The IoT has applications in virtually every aspect of our lives – from smart homes (Amazon Echo or Google Home devices, smart thermostats and door locks, etc.) to wearables (Apple Watches, Fitbits, and even “smart clothes” equipped with embedded health trackers) to smart cities like Barcelona, which has implemented IoT initiatives to improve everything from smart parking to traffic to the environment.
Virtually every device we use in our daily lives now comes equipped with these “smart” capabilities and can be connected to the IoT. And the number of IoT-connected devices continues to grow rapidly, with experts estimating that more than 75.4 billion devices worldwide will be connected to the IoT by 2025 – up from 15.4 billion in 2015.
Hacking Concerns Spark Regulation
Given the seemingly limitless number of IoT-connected devices and the relatively unsecure nature of these products, it’s unsurprising that the IoT has become the next frontier for hackers and cybersecurity attacks. Serious concerns about the security and vulnerability of IoT devices surged after the October 2016 “Mirai Botnet” attack, which was one of the largest, if not the largest, known IoT-launched cybersecurity attacks to date and took down huge swaths of the Internet, including Twitter, Netflix, Spotify, the Guardian, and CNN, among others. In response to this ever-expanding security threat, California introduced SB-327 in 2017 and subsequently became the first state in the country to implement regulations setting baseline cybersecurity standards for IoT devices where none otherwise exist.
Starting January 1, 2020 any manufacturer of a device that connects to the Internet – either directly or indirectly – must equip it with “a reasonable security feature or features” appropriate to their nature and designed to prevent unauthorized access, destruction, use, modification, or disclosure of information collected by the device. If the device can be accessed outside of a local area network, it must come with either its own unique password or should force the user to set a unique password the first time the device is connected. The bill, however, does not define what constitutes a “reasonable security feature” or set a standard for determining the reasonableness of a particular security feature.
Is California’s Approach to Protecting IoT Devices the Correct One?
As is virtually always the case when implementing a reasonableness standard, industry groups and consumer advocates disagree on the potential effectiveness of California’s new law. Some cybersecurity industry experts argue that the language is too vague to be effective and implements a backwards approach to cybersecurity – that is, it attempts to require the addition of new security features rather than addressing the removal and remediation of insecure features from within products. Proponents of the law, however, say that the addition of security features and password requirements presents another line of defense against hackers and makes consumers safer. This debate – and particularly the interpretation of what constitutes a “reasonable” security feature – will no doubt end up being resolved in a lawsuit somewhere down the line.
What virtually all commentators and industry experts agree on, however, is that California’s new law has the potential to impact more than just businesses and consumers in the state. In matters of tech policy and tech legislation, California is widely viewed as a bellwether for where the rest of the country is headed. The state’s IoT law should be no different and has the potential to reignite the national conversation concerning regulation of the IoT similar to how the California Consumer Privacy Act from earlier this year (the state-level analog to the European Union’s General Data Privacy Act) sparked high-level conversations between the U.S. Commerce Department and tech giants like Google and Facebook about federal data privacy regulations.
Will There Be a Federal Response?
In fact, there is currently legislation sitting in Congress that would arguably go further in terms of IoT privacy regulations than California’s law. For example, The Internet of Things Cybersecurity Improvement Act, introduced by Sens. Mark Warner (D-Va.) and Cory Gardner (R-Colo.), would require any company doing business with the federal government to ensure that its Web-connected devices are patchable, equipped with passwords that can be changed, and are otherwise free of known security vulnerabilities. Another proposed law, the Securing IoT Act, introduced by Rep. Jerry McNerney (D-Ca.), would require the Federal Communications Commission to create cybersecurity standards for certifying wireless equipment.
Thus far, neither proposed legislation, both of which were introduced prior to the passage of California’s IoT law, has gained the necessary momentum to push it forward through Congress. It is anticipated, though, that the rekindled national discussion surrounding IoT cybersecurity regulation spurred by the new state law will also prompt further conversation and debate concerning the implementation of similar federal regulations.
We will continue to monitor regulatory developments at state and federal level with regard to the Internet of Things and advise our clients accordingly on compliance and cybersecurity issues they face.