As the world has come to rely increasingly on technology, everything has shifted to reflect that focus, including criminal activity. Hardly a month goes by without news of a new hacking incident in which criminals accessed the private information of consumers. This is particularly an issue given the vast numbers of interrelated computing devices on the market today.

California is one of the first states to require that safety measures be built into all Internet-of-Things devices sold in the state. The state’s Internet of Things Security Law, effective on January 1, 2020, requires that these devices be equipped with “reasonable security measures.” A lot of people are wondering which devices are covered and what types of measures are actually mandated. What exactly is meant by “reasonable security”?

What Is the Internet of Things?

The “Internet of Things” (IoT) is a term increasingly used both in the workplace and outside of it.  It refers to a system of interrelated computing devices—mechanical and digital machines, and other objects—that can connect to and transfer data over a network. 

The IoT includes household devices categorized as “smart,” usually those that can be turned on and off without a human actually touching a switch. It can include anything from cellphones to machinery like a jet engine. If a device has an on-and-off switch, then it can probably be a part of the IoT.  

Which Devices Are Covered?

The California IoT law requires that manufacturers build safety measures into all “connected devices.” It defines the term broadly, as any physical object: 

  1. capable of connecting to the internet, alone or when paired with another device, and 
  2. assigned an IP or Bluetooth address.

Clearly, many different types of equipment come within this description, including obvious things like smartphones and smart wristwatches. All smart home devices are included, like smart thermometers, refrigerators, printers, keycard readers, air conditioners, light fixtures, televisions, Bluetooth headsets and security cameras. Connected vehicles are included, as are inventory scanners, lab equipment and medical diagnostic equipment.

Who Are Manufacturers Under the IoT Law?

The businesses regulated by the IoT Security Law are the manufacturers of connected devices that are sold in California. The law is not limited to those who manufacture the devices in the state. Rather, it matters only that the devices are sold in the state. 

Those who manufacture the devices anywhere and then sell them in California are covered by the IoT Law. The law also applies to companies that arrange for others to manufacture devices for them destined to be sold in California. 

What Are Reasonable Security Features for Authentication?

The core requirement of the law is that the devices be equipped with “reasonable security” features. These features must be appropriate for the device, its purpose, and designed to protect any information on it from unauthorized access. 

When you consider how many types of devices are covered under the law, it’s easy to see that this standard is indefinite and ambiguous. One aspect has been clarified, however: authentication.

The law specifies that if the device is subject to authentication outside a local area network, it must contain a unique password, either one that is preprogrammed into it, or one that a user is required to generate. This prevents generic default credentials that can be easy for hackers to guess.

What Are Other Reasonable Security Features?

Beyond the authentication aspect of the device, the requirements of the IoT law remain undefined within the law itself. However, a California Department of Justice Breach Report issued on February 26, 2016 offered some idea of the type of safety measures required. It outlined some 600 data breaches in California and stated that the minimum security required under the law would be the 20 security controls promulgated in the CIS Critical Security Controls for Effective Cyber Defense.

These controls include the requirement that companies:

  • Inventory, track and secure from attack all connections and software
  • Continuously update software to manage system vulnerabilities
  • Protect data by regularly backing it up
  • Use encryption, integrity protection and data loss prevention techniques

It’s also critical to provide security training to all who have access to a company’s network and data, to monitor network activity to prevent the inclusion of hidden malware, to implement defenses against malware like firewalls, DMZ (demilitarized zone) perimeter networks and proxies, and to block access to entry points. 

What Is the Law’s Overall Impact?

California’s IoT law has been lauded by many as a good first step toward making connected devices safer for public use. However, it is criticized by others for being vague in terms of the reasonable security features that are mandated. 

Still, most experts recognize that, while imperfect, the California bill is better than nothing. It closes some security holes and will likely lead to additional safety laws.