Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
9/19/2019
04:15 PM
50%
50%

California's IoT Security Law Causing Confusion

The law, which goes into effect January 1, requires manufacturers to equip devices with 'reasonable security feature(s).' What that entails is still an open question.

Companies that make connected devices — from Internet routers to connected thermostats to home-monitoring cameras — need to start preparing for the enforcement of California's Internet of Things (IoT) security law, which goes into effect on January 1, 2020, attorneys said this week.

The question is whether a simple authentication fix is enough for most devices or whether companies need to adhere to a more rigorous standard.

The California law, Senate Bill 327, was approved by the governor a year ago and requires that all connected devices sold in the state— no matter where they are made — incorporate "a reasonable security feature or features" that appropriately protect the user of the product and the user's data from unauthorized access, modification, or disclosure. The law specifies that single hard-coded passwords are not allowed, and each device must either have a unique passcode or require the user to generate a new passcode before using the device for the first time.

The way the law is written, ensuring devices follow that guidance may be enough, says Christine Lyon, partner in the privacy practice of Morrison & Foerster. "The law is only specific to authentication," she says. "That seems sufficient, but what I suspect will happen over time is that we will see more specificity around the required security features."

Yet another attorney argues that establishing a strong authentication mechanism is only one of the required features. Guidance of what constitutes "reasonable security" is hinted at by a 2016 California breach report, which labeled the Center for Internet Security's Critical Security Controls for Effective Cyber Defense as the "floor" for adequate security, says Dan Pepper, a privacy and data protection partner at the law firm BakerHostetler.

"The law is offering companies flexibility," he says. "But if all you are doing is taking the authentication step and you are not doing anything with updates or patches, encryption, or third-party components, then you are falling short. That authentication piece is just one concrete example."

The confusion has caused many companies to measure whether there is any risk to them under the statute and to wait for further guidance, the attorneys say. The law does not give consumers the right of private action. Only the government can investigate or penalize companies under the law, which is another consideration for companies in assessing their risk.

While the security required by the law may seem like baby steps, the number of devices impacted by the legislation is quite large, according to the attorneys. The text of the legislation does not specify types of devices, but the law likely applies to a long list of hardware covered by the term "connected device," including products such as printers and security cameras, smart lightbulbs, and Apple watches, Pepper says.

"Quite a few different types of devices are impacted," he says.

The California law is not the only legislation to target the security of connected devices. With 25 billion devices expected to be part of the global IoT landscape, legislators are subjecting IoT manufacturers to increasing scrutiny. 

In March, US lawmakers introduced a bipartisan bill into Congress that would require IoT makers selling devices to the government to follow guidelines produced by the National Institute of Standards and Technology. Known as the Internet of Things Cybersecurity Improvement Act of 2019, the bill is the third time that federal legislation has been introduced to require security measures by connected device makers. A bill to govern IoT security has been introduced into Congress annually since 2017.

Because the California law applies to any device sold to consumers in the state — and the manufacture of too many product variants is cost-prohibitive — the impact of the law will likely be national, says Morrison & Foerster's Lyon.

"Because the law's requirements are not onerous, and because it is time consuming to create a special version of products just for the Californian market, companies will probably implement these changes across all their products," she says.

In conjunction with the California Consumer Privacy Act (CCPA), the law will put new responsibilities and restrictions on companies for privacy and data security.

"The enactment of the CCPA will be a watershed moment for data privacy not just in California, but also throughout the United States," said Attila Tomaschek, data privacy advocate at ProPrivacy.com, in a statement. "Since any applicable business across the country and indeed across the globe that serves consumers in California will be required to abide by the law, companies across the board will likely be gearing up for compliance."

The California law explicitly does not require that retailers and sellers of devices ensure compliance with the law. The law also seems to prevent using the rule as a reason for anti-tinkering measures, stating that the laws does not require features that "prevent a user from having full control over a connected device, including the ability to modify the software or firmware running on the device at the user's discretion."

In addition, law enforcement retains the right to gather information about devices from the manufacturer. 

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Poll Results: Maybe Not Burned Out, But Definitely 'Well Done'

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-0404
PUBLISHED: 2019-12-11
SAP Enable Now, before version 1911, leaks information about network configuration in the server error messages, leading to Information Disclosure.
CVE-2019-0405
PUBLISHED: 2019-12-11
SAP Enable Now, before version 1911, leaks information about the existence of a particular user which can be used to construct a list of users, leading to a user enumeration vulnerability and Information Disclosure.
CVE-2019-0395
PUBLISHED: 2019-12-11
SAP BusinessObjects Business Intelligence Platform (Fiori BI Launchpad), before version 4.2, allows execution of JavaScript in a text module in Fiori BI Launchpad, leading to Stored Cross Site Scripting vulnerability.
CVE-2019-0398
PUBLISHED: 2019-12-11
Due to insufficient CSRF protection, SAP BusinessObjects Business Intelligence Platform (Monitoring Application), before versions 4.1, 4.2 and 4.3, may lead to an authenticated user to send unintended request to the web server, leading to Cross Site Request Forgery.
CVE-2019-0399
PUBLISHED: 2019-12-11
SAP Portfolio and Project Management, before versions S4CORE 102, 103, EPPM 100 and CPRXRPM 500_702, 600_740, 610_740; unintentionally allows a user to discover accounting information of the Projects in Project dashboard, leading to Information Disclosure.