California seeks to regulate Internet of Things devices

California recently passed a law that smart devices sold in California must have “reasonable security” features to protect data.

Written by Folake Dosu
Published on Dec. 13, 2018
iot-regulation-california

iot-regulation-california

While smart gadgets are a consumer favorite, their vulnerabilities have made them a target for regulators to set and enforce much-needed security standards. 

ABA Journal reports how California recently passed a law that smart devices sold in California must have “reasonable security” features to protect stored or transmitted information from “unauthorized access, destruction, use, modification or disclosure.”

Set to go in effect on January 1st, 2020, some watchdogs feel that while the effort to regulate these technologies is commendable, the law is still not tough enough on cybersecurity.

With industry research company IoT Analytics currently estimating 7 billion connected devices in the world with that number expected to climb to 21.5 billion devices by 2025, this saturation increases the frequency of cybersecurity attacks such as denial-of-service attacks and click fraud.

“The majority of IoT devices are insecure,” explained Syed Ali, an expert vice president at the Bain & Co.’s Houston office and leader of its information technology practice, to ABA Journal.

Cybersecurity company Corero Network Security told ABA Journal that the firm credits the uptick of denial-of-service attacks, 40 percent higher in the first half of 2018 than year-on-year, in part to Internet of Things device adoption.

The common lack of password protection for these devices is a major manufacturer flaw, as research from Ben-Guirion University in Israel notes. The California law seeks to correct this oversight by requiring the use of passwords for devices. 

“What’s reasonable for an industrial IoT device might be a lower standard than what would be reasonable for a consumer-facing device that collects more sensitive information, like biometrics or health information.”

The vague requirement for a “reasonable security feature,” on the other hand, leaves some head-scratching.

“Reasonableness is always the legislature’s way to build in a moving target that will be informed by industry practice” and the sensitivity of the information collected, Christine Lyon, a partner at Morrison & Foerster in Palo Alto, California, told ABA Journal. “What’s reasonable for an industrial IoT device might be a lower standard than what would be reasonable for a consumer-facing device that collects more sensitive information, like biometrics or health information.”

Nevertheless, this law is a start to what will continue to be an ongoing effort to regulate connected devices.

“This is probably not the end state of this law,” Lyon said to ABA Journal. “I think this is probably a starting point to get a law on the books.”

Explore Job Matches.