This post is from the Arxan blog and has not been updated since the original publish date.
Breaking Down the New California IoT Law
Recently California passed legislation regarding the security of all IoT devices sold in the state. As of January 1, 2020, all IoT products will be required to have reasonable security features in place to protect the device -- covering everything from unauthorized access, destruction, and use to modification and disclosure. The new law specifies that “reasonable security” will include an authentication process that doesn’t rely on a local network, force unique passwords for each device and require users to create new credentials before gaining access. The legislation defines IoT devices as any device with an IP or Bluetooth address that can connect to the internet. So, does it actually have much teeth, and will it make us safer?
We believe that the California Law in itself will not dramatically improve security of devices or safety for consumers. It is a recognition of the problem, and as such, will hopefully create an increase in visibility of the security needs and potential long term loss due to failure in the court of public opinion. But it falls short in a few key ways:
- The risk of this legislation is confusion. It may send a signal to vendors and businesses that simply setting a custom password constitutes a "reasonable" protection of data.
- Furthermore, the California legislation really has no ‘teeth’ that would cause vendors to easily predict the hard, direct cost of violation, as you have with other legislation, like GDPR, enacted in the EU earlier this year. As such, vendors may decide it’s worth the risk of non-compliance, until California or others provide specified penalties for such actions.
Consumers need to increase their concerns and expectations of vendors around security. Today desirable behavior far outweighs the need for security in the mind of the early adopters driving sales of many consumer IoT devices, and the risks are not in the general consciousness.
Consumer protection and privacy organizations, in addition to leading security vendors, need to increase the visibility of security needs and the things consumers of technologies need to do on their own to decrease their chances of direct loss or of being part of a bot network that has an impact on another business or society.
And state and national legislatures need to consider evaluating the current legislation as a good first step, but augmenting it with specific penalties that will force compliance, and making it clear that this does not fully exclude manufacturers from responsibility. The law is vague and opens the door for confusion and misinterpretations of ‘reasonable security.’ Organizations need complete visibility into their devices, applications and networks in order to successfully protect customer data and navigate today’s dynamic threat landscape.