Skip to main content

This post is from the Arxan blog and has not been updated since the original publish date.

Last Updated Nov 19, 2018 — Application Security expert

Breaking Down the New California IoT Law

Application Security

Recently California passed legislation regarding the security of all IoT devices sold in the state. As of January 1, 2020, all IoT products will be required to have reasonable security features in place to protect the device -- covering everything from unauthorized access, destruction, and use to modification and disclosure. The new law specifies that “reasonable security” will include an authentication process that doesn’t rely on a local network, force unique passwords for each device and require users to create new credentials before gaining access. The legislation defines IoT devices as any device with an IP or Bluetooth address that can connect to the internet. So, does it actually have much teeth, and will it make us safer?

We believe that the California Law in itself will not dramatically improve security of devices or safety for consumers. It is a recognition of the problem, and as such, will hopefully create an increase in visibility of the security needs and potential long term loss due to failure in the court of public opinion. But it falls short in a few key ways:

  • The risk of this legislation is confusion. It may send a signal to vendors and businesses that simply setting a custom password constitutes a "reasonable" protection of data.
  • Furthermore, the California legislation really has no ‘teeth’ that would cause vendors to easily predict the hard, direct cost of violation, as you have with other legislation, like GDPR, enacted in the EU earlier this year. As such, vendors may decide it’s worth the risk of non-compliance, until California or others provide specified penalties for such actions.

Recommendations

Consumers need to increase their concerns and expectations of vendors around security. Today desirable behavior far outweighs the need for security in the mind of the early adopters driving sales of many consumer IoT devices, and the risks are not in the general consciousness.

Consumer protection and privacy organizations, in addition to leading security vendors, need to increase the visibility of security needs and the things consumers of technologies need to do on their own to decrease their chances of direct loss or of being part of a bot network that has an impact on another business or society.

And state and national legislatures need to consider evaluating the current legislation as a good first step, but augmenting it with specific penalties that will force compliance, and making it clear that this does not fully exclude manufacturers from responsibility. The law is vague and opens the door for confusion and misinterpretations of ‘reasonable security.’ Organizations need complete visibility into their devices, applications and networks in order to successfully protect customer data and navigate today’s dynamic threat landscape.

More from the Blog

View more
Jun 05, 2020

In Plain Sight II: On the Trail of Magecart

Application Security
On the surface, the breaches that impacted British Airways, Ticketmast ...
Read More
Jun 02, 2020

Here Comes CCPA

Application Security
  Ready Or Not, Here It Comes! As of publication, there are 147 ...
Read More
May 27, 2020

Application Security: Testing is NOT Enough

Application Security
In the software development world, developers are faced with a break ...
Read More
Apr 16, 2020

The Next Step in the Arxan Journey

Application Security
  As many of you may have seen, we just announced that we have been ...
Read More
Contact Us