New California Laws Ask IoT Makers for Security Features

California Gov. Jerry Brown has signed two bills that are designed to make manufacturers of Internet-connected devices more responsible for ensuring the privacy and security of Californians, as reported on GovTech.com.

The bills require manufacturers to equip connected devices with a “reasonable security feature or features” that are appropriate to their nature, function, and the information they may collect, contain, or transmit. The security features must be designed to protect the device and its information from “unauthorized access, destruction, use, modification or disclosure.”

The laws define a connected device as one with an Internet protocol (IP) or Bluetooth address that can connect directly or indirectly to the Internet.

State Senator Hannah-Beth Jackson, D-Santa Barbara, introduced similar legislation in February 2017 after learning the United States had not banned a “smart doll” called My Friend Cayla that allegedly could spy on children and families. Jackson also had concerns about the lack of security embedded in such IoT devices as microwave ovens, thermostats, and security cameras.

The question of what defines a “reasonable security feature or features” is one of many that industry groups cited in their opposition to the legislation.
“We recommend an approach that would ensure that all connected devices are compliant and secure, no matter where they are produced. These two innovation-stifling measures not only fail to protect consumers, but will drive away California manufacturing investment,” the California Manufacturers and Technology Association said in a statement.

Jackson disagreed with the notion that the bills might create a loophole for imported devices.

“The concern, I think, is misplaced, because when the products are sold in this country, they will have to meet those standards even if they’re manufactured elsewhere,” she said.

The laws will take effect on January 1, 2020, thus giving the industry time to account for them.