Skip to main content
Application Security padlock icon

This post is from the Arxan blog and has not been updated since the original publish date.

Last Updated Nov 19, 2018 — Application Security expert

Breaking Down the New California IoT Law

Application Security

Recently California passed legislation regarding the security of all IoT devices sold in the state. As of January 1, 2020, all IoT products will be required to have reasonable security features in place to protect the device -- covering everything from unauthorized access, destruction, and use to modification and disclosure. The new law specifies that “reasonable security” will include an authentication process that doesn’t rely on a local network, force unique passwords for each device and require users to create new credentials before gaining access. The legislation defines IoT devices as any device with an IP or Bluetooth address that can connect to the internet. So, does it actually have much teeth, and will it make us safer?

We believe that the California Law in itself will not dramatically improve security of devices or safety for consumers. It is a recognition of the problem, and as such, will hopefully create an increase in visibility of the security needs and potential long term loss due to failure in the court of public opinion. But it falls short in a few key ways:

  • The risk of this legislation is confusion. It may send a signal to vendors and businesses that simply setting a custom password constitutes a "reasonable" protection of data.
  • Furthermore, the California legislation really has no ‘teeth’ that would cause vendors to easily predict the hard, direct cost of violation, as you have with other legislation, like GDPR, enacted in the EU earlier this year. As such, vendors may decide it’s worth the risk of non-compliance, until California or others provide specified penalties for such actions.


Consumers need to increase their concerns and expectations of vendors around security. Today desirable behavior far outweighs the need for security in the mind of the early adopters driving sales of many consumer IoT devices, and the risks are not in the general consciousness.

Consumer protection and privacy organizations, in addition to leading security vendors, need to increase the visibility of security needs and the things consumers of technologies need to do on their own to decrease their chances of direct loss or of being part of a bot network that has an impact on another business or society.

And state and national legislatures need to consider evaluating the current legislation as a good first step, but augmenting it with specific penalties that will force compliance, and making it clear that this does not fully exclude manufacturers from responsibility. The law is vague and opens the door for confusion and misinterpretations of ‘reasonable security.’ Organizations need complete visibility into their devices, applications and networks in order to successfully protect customer data and navigate today’s dynamic threat landscape.

More from the Blog

View more
Jan 18, 2022

Be aware or beware: Easily insert security into your mobile apps

Application Security
COVID-19 has quickly pushed companies over the technological tipping p ...
Read More
Dec 23, 2021

Using machine learning to detect malicious packages

Application Security
Staying up to date with new technology in today’s advanced digital age ...
Read More
Dec 17, 2021

Log4j: Not the Vulnerability We Want, and Not the Vulnerability We Need

Application Security
Log4j is the reminder we didn’t need: the reminder that vulnerabilitie ...
Read More
Apr 29, 2021

Why better security means better products

Application Security
Over the past 15 years, businesses have learned a lot about the value ...
Read More
Contact Us