California Ahead of Federal Government in Cybersecurity for the Internet of Things

In late August, a state bill in California related to cybersecurity in the context of the Internet of Things (IoT) was passed by both houses of the California State Legislature and is currently awaiting the signature of California Governor Jerry Brown to enact the bill. If enacted, California would become the first state in the country to enact IoT-related legislation, doing so ahead of a pair of federal bills which have been proposed to address many similar issues.

The bill, known as SB-327 in its California Senate form while the California Assembly version is known as AB-1906, is designed to update existing state law which requires a business to take reasonable steps to dispose of customer records containing personal information when the business no longer needs those records by either shredding the records or modifying the information to make it undecipherable. Existing state law also requires a business maintaining personal information about a California resident to maintain reasonable security procedures to protect personal information from unauthorized disclosures. Customers injured by a violation of these provisions are authorized to institute a civil action under state law to recover damages.

The bill would create a new title within California Civil Code named Security of Connected Devices. The first part of this title would require a manufacturer of a connected device, defined as any object capable of connecting to the Internet and assigned either an Internet protocol address or a Bluetooth address, to equip the device with reasonable security features appropriate to the nature and function of the device, appropriate to the information it may collect or transmit and designed to protect both the device and the information it contains from unauthorized access. Under the terms of the bill, if a device is equipped with a means for authentication outside a local area network (LAN), it shall be deemed a reasonable security feature if the preprogrammed password is unique to each device manufactured or the device contains a security feature requiring a user to generate a new means of authentication before gaining access to the device for the first time.

The bill would not impose duties upon manufacturers of connected devices related to third-party software or applications that a user chooses to add to a device or to prevent users from having the full ability to modify the device’s software or firmware. The bill wouldn’t impose duties upon providers of electronic stores or other means of purchasing or downloading software or applications. Connected devices with functionality subject to security requirements under federal law or federal agency regulations aren’t subject to this bill and the authority of law enforcement to obtain connected device information as authorized by law or a court order isn’t limited by the bill. The bill would not provide a basis for a private right of action as only the state’s Attorney General, or city or district attorneys, have the authority to enforce the terms of this bill.

The California state bill on IoT cybersecurity measures has fared much better than a pair of federal bills that have been drafted to cover cybersecurity issues in the IoT context. In March 2017, one month after the California bill was first introduced in the state senate, Rep. Jerry McNerney (D-CA) introduced H.R.1324, the Securing IoT Act, into the House of Representatives. This piece of legislation is designed to amend the Communications Act of 1934 to require the Federal Communications Commission (FCC) to establish cybersecurity standards for for radio frequency equipment in order to be certified under the FCC’s technical standards. The bill was referred to the Subcommittee on Communications and Technology in late March of 2017 and it has stalled there. Last August, Sen. Mark Warner (D-VA) introduced S.1691, the IoT Cybersecurity Improvement Act into the Senate. Co-sponsored by Sens. Cory Gardner (R-CO), Ron Wyden (D-OR), Steve Daines (R-MT) and Maggie Hassan (D-NH), the bill would provide minimum cybersecurity standards for Internet-connected devices which are purchased by federal agencies. That bill has also stalled since it was introduced.