What is the California IoT device security law?
The U.S. State of California Senate Bill 327 applies to all businesses that manufacture devices that make up the Internet of Things (IoT). Informally known as SB327, this nascent bill focuses on information privacy for smart devices that connect to a network.
It’s clear that the information collected from devices like laptops, phones, and tablets should be protected, but it’s less evident how the information collected from smart devices like thermostats, fitness trackers, and health devices should be protected — these are all devices that connect to the Internet, after all.
What makes SB327 so interesting is that it not only affects the U.S., where many of these devices are manufactured and sold but to wherever those devices are used. Moreover, it’s not every day that laws are enacted for the sake of ensuring the privacy of device owners.
This is a new frontier in lawmaking because while it’s fascinating how technology becomes regulated, it’s even more fascinating to see it evolve. However, the law is still young, and we haven’t even had a chance to see it enforced. Without a precedent for enforcement, what lies ahead could be exciting or frustrating.
Security and privacy requirements under the new law
But what does the law even require?
Some have called SB327 the “password bill,” but now that it’s been enacted, it isn’t quite a “password law.”
Certainly, some of its stipulations propose changes to password policies — each manufactured device should use a unique password to avoid the use of common default passwords, and each device should have a first-use security feature that generates a unique authentication method such as access tokens or passwords — but the core of the law is to ensure that devices are built with security defenses against the “unauthorized access, destruction, use, modification, or disclosure” of information stored on those devices.
However, the law doesn’t provide any detailed guidelines. In fact, the overarching requirement provided is “a manufacturer of a connected device shall equip the device with a reasonable security feature.”
Who determines what a reasonable security feature is?
As it turns out, this is a question many standards organizations have been asking themselves. The following best practices for IoT security and privacy have already been developed:
- The Open Web Application Security Project (OWASP) IoT Top 10
- The UK Government's Code of Practice for Consumer IoT
- The European Union Agency for Cybersecurity (ENISA) recommendations
How will it impact you?
These best practices can serve as a framework for your organization, but it’s only just the tip of the iceberg. The rest of the iceberg involves your organization developing its own security policies.
This development can go as far as developing your own programs, and even further by detailing a security taxonomy — how far you want to go will depend on your security and financial resources. We’ve seen how companies want to move fast without feeling disrupted by security, and this rings especially true for converting security frameworks into actionable tasks.
Back to SB327
As this is a new law, we’re still paying attention to how it plays out in practice.
How will it be enforced?
How will penalties be determined?
How will organizations circumvent it?
As we have seen with the GDPR, some penalties are not nearly as severe as we initially expected.