SB327: A new frontier in technology and privacy lawmaking

Nathanael Mohammed and Farbod H. M. Foomany

US State of California Senate Bill 327 Information Privacy: Connected Devices (SB 327)

US State of California Senate Bill 327 went into effect in January and applies to all businesses that manufacture devices that make up the Internet of Things (IoT). Informally known as SB327, this nascent bill focuses on information privacy for smart devices that connect to a network. It’s clear that the information collected from devices like laptops, phones, and tablets should be protected, but it’s less evident how the information collected from smart devices like thermostats, fitness trackers, and health devices should be protected—these are all devices that connect to the Internet, after all.

What makes SB327 so interesting is that it not only affects the United States, where many of these devices are manufactured and sold but to wherever those devices are used. Moreover, it’s not every day that laws are enacted for the sake of ensuring the privacy of device owners. This is a new frontier in lawmaking because while it’s fascinating how technology becomes regulated, it’s even more fascinating to see it evolve. However, the law is still young, and we haven’t even had a chance to see it enforced. Without a precedent for enforcement, what lies ahead could be exciting or frustrating.

Security and privacy requirements

But what does the law even require? Some have called SB327 the “password bill”, but now that it’s been enacted, it isn’t quite a “password law”. Certainly, some of its stipulations propose changes to password policies—each manufactured device should use a unique password to avoid the use of common default passwords, and each device should have a first-use security feature that generates a unique authentication method such as access tokens or passwords—but the core of the law is to ensure that devices are built with security defenses against the “unauthorized access, destruction, use, modification, or disclosure” of information stored on those devices.

However, the law doesn’t provide any detailed guidelines. In fact, the overarching requirement provided is “A manufacturer of a connected device shall equip the device with a reasonable security feature.” Who determines what a reasonable security feature is? As it turns out, this is a question many standards organizations have been asking themselves. The following best practices for IoT security and privacy have already been developed:

Next steps

These best practices can serve as a framework for your organization, but it’s only just the tip of the iceberg. The rest of the iceberg involves your organization developing its own security policies. This development can go as far as developing your own programs, and even further by detailing a security taxonomy—how far you want to go will depend on your security and financial resources. We’ve seen how companies want to move fast without feeling disrupted by security, and this rings especially true for converting security frameworks into actionable tasks. SD Elements is designed to do just this.

Back to SB327

With the law only recently having been enacted, we’re still paying attention to how it plays out in practice. How will it be enforced? How will penalties be determined? How will organizations circumvent it? As we have seen with the GDPR, some penalties are not nearly as severe as we initially expected.

Previous Article
RSA Presentation: At What Point Does DevSecOps Become Too Risky for the Business?
RSA Presentation: At What Point Does DevSecOps Become Too Risky for the Business?

This session covered the implementation of an automated, continuous risk pipeline that demonstrates how cyb...

Next Article
A Quick Insight into Security Compass’ New CEO, Rohit Sethi
A Quick Insight into Security Compass’ New CEO, Rohit Sethi

A Quick Insight into Security Compass’ New CEO, Rohit Sethi

Find out how our solution builds security and compliance into software.

Free Demo