California Passes Nation’s First Cybersecurity Law Addressing Internet of Things

By
&
Aliza Vigderman
Gabe TurnerChief Editor
Last Updated on Aug 6, 2021
By Aliza Vigderman & Gabe Turner on Aug 6, 2021

On September 28, 2018, California became the first state in the U.S to pass an Internet of Things (IoT) cybersecurity law. California Governor Jerry Brown signed Bill SB-327 into a law that addresses information privacy, specifically pertaining to connected devices. The legislation1 aims to protect consumers of smart home devices against potential privacy risks from unauthorized parties gaining access to user information.

What Does The New Law Require?

The law requires manufacturers of IoT devices to provide “reasonable security features” designed to protect user privacy. The ‘features’ are largely determined by password requirements, Manufacturers must give a unique, pre-programmed password for each device or require users to establish a new means of authentication before the device can be operated for the first time.

What Is A Connected Device, Anyway?

A “connected device” is defined as “any device, or other physical object that is capable of connecting to the Internet, directly or indirectly, and that is assigned an Internet Protocol address or Bluetooth address.” California’s new legislation would not only increase regulations for general IoT objects like smart locks and security cameras, but also for more peripheral products such as connected healthcare devices or children’s toys that tend to be more vulnerable to hackers.

Reactions To The Law

Reception of the law has been mixed.2 Some critics fear the effects of the law will stifle innovation and deter manufacturers from operating in California, while others say that it was simply unnecessary. The Entertainment Software Association, for example, opposed the bill, claiming that “existing law already requires manufacturers to set up “reasonable privacy protections.” Others consider the law to be vaguely worded and insufficient in addressing additional security issues.

Federal IoT Regulation: In The Works?

There are a number of other bills in the pipeline at the federal level including the Securing IoT Act of 2017 which would mandate the FCC to establish cybersecurity standards for wireless devices. Another bill yet to be voted on is the IoT Cybersecurity Improvement Act of 2017, which would designate security standards for connected devices that the government purchases.

Aside from the government, the cellular industry has also been working on initiatives to tackle cybersecurity in the wireless IoT arena. For example, the Cellular Telecommunications and Internet Association distributed cyber security certifications. These certifications provide standardized security guidelines for numerous cellular devices connected to the internet.

When Will California’s Law Go Into Effect?

California’s SB-327 law will go into effect on January 1, 2020. This is the first time that any official regulation of IoT devices has been put in place, marking a starting point for the future of cybersecurity legislation. We will have to see how manufacturers and lawmakers respond as the industry continues to grow.

Best Practices for IoT Devices

So, what can you do to protect your IoT devices from being hacked? We recommend following the best digital security practices such as:

  • Password hygiene: Make sure that you create a unique and complicated password for your IoT device. By unique, we mean that it shouldn’t be the same password as any other online account. Find out how secure your password is with our password strength checker.
  • Authentication: If it’s available, turn on two or multi-factor authentication, both of which prevent unauthorized access to your IoT device’s account . With two-factor authentication, you’ll have to enter a passcode sent to your mobile devices, while multi-factor authentication includes biometrics like facial or fingerprint ID.
  • VPNs: Especially if you’re using an IoT device on a public Wi-Fi network, connect to a VPN, or Virtual Private Network. The VPN will hide your web activity as well as your device’s private IP address in an encrypted tunnel, decreasing the likelihood of a hacking. Read more about our top VPN picks.

While your state may not match California’s legislation, with some easy adjustments, you can greatly increase the security of your IoT devices.

Citations
  1. California Legislative Information. (2018). Assembly Bill No. 1906.
    leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180AB1906

  2. Government Technology. (2018). California Governor Approves Bills Tightening Security, Privacy of IoT Devices.
    govtech.com/applications/Two-Bills-Before-California-Governor-Would-Tighten-Security-Privacy-of-IoT-Devices.html