SB 327: Teddy bears & toasters: Law addresses IoT device security

In September, California became the first state to pass a law addressing cybersecurity concerns with internet of things ("IoT") devices that connect to the internet. SB 327 requires that by Jan. 1, 2020, manufacturers of certain internet-connected devices sold in California must equip them with "reasonable security features." The security features must be: (i) appropriate to the nature and function of the device; (ii) appropriate to the information it may collect, contain or transmit; and (iii) designed to protect the device, and any information contained therein, from unauthorized access, destruction, use, modification or disclosure.

The law reflects the fact that Californians are increasingly using IoT devices that range from teddy bears used by children to toasters and other home appliances. The impetus behind the law is to prevent cyberattacks and protect data collected by IoT devices, many of which have documented security vulnerabilities, including default usernames and passwords and cleartext data transmissions (found, for example, in toys and medical devices by the Princeton University IoT Inspector Project). IoT devices' security vulnerabilities increase the number of threat vectors for cyberattacks, and the devices collect personal data that can be exposed in a cyberattack or data breach.

SB 327 is codified at California Civil Code Section 1798.91.04-06. The law defines "connected device" as "any device, or other physical object that is capable of connecting to the Internet, directly or indirectly, and that is assigned an internet protocol address or Bluetooth address." The law states that if a connected device is equipped with a means for authentication outside a local area network, the device manufacturer will meet the "reasonable security feature" requirement if either of the following requirements are met: (1) the preprogrammed password is unique to each device manufactured, or (2) the device contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time.

Critics believe the law does not go far enough as it is limited to connected devices assigned an internet protocol or Bluetooth address. Further, the law does not provide specifics on what security measures are required for all connected devices, as "reasonable security features" required vary, depending on the nature and function of the device and the nature of the information collected. (Section 1798.91.04(a)(1)-(2)) The law imposes no duty on manufacturers of a connected device related to unaffiliated third-party software or applications that a user adds to a connected device. (Section 1798.91.06.a).

This law, in contrast to the recent California Consumer Privacy Act, does not have a private right of action and is only enforceable by the state. However, if a connected device manufacturer fails to maintain "reasonable security measures" and a data breach occurs, the manufacturer could be in violation of the CCPA.