Law.com Subscribers SAVE 30%
Call 855-808-4530 or email [email protected] to receive your discount on a new subscription.
States Take the Lead on Securing IoT
The widespread adoption of Internet-connected devices has shifted from a novelty to a necessity in mainstream culture. Internet connected devices or the Internet of Things (IoT) is a network of physical objects — devices, vehicles, appliances — embedded with sensors, software, and network connectivity, so they can collect, exchange, and act on data, often without human intervention.
As a society, we have become more interested in smart products such as smart home devices, phones, and toys that make life more efficient, convenient and entertaining. Yet, use of IoT devices is not without risks. At the end of last year, Ring camera, owned by Amazon, made news headlines after hackers breached the devices. There were numerous accounts of hackers obtaining access to the cameras and taunting and yelling obscenities at children, and threatening adults for bitcoin ransomware through the cameras. As a result of these hacks, Amazon is now facing a class action lawsuit claiming that the Ring camera security vulnerabilities were a result of Amazon's negligence and that it led to an invasion of privacy. See, John Baker Orange v. Ring LLC and Amazon .Com LLC, No. 2:19-cv-10899 (2019). These incidents were the motivation for the passage of California's new IoT Security Law that went into effect on Jan. 1, 2020.
The California IoT Security Law is the first of its kind in the nation and pushes device manufacturers to adopt cybersecurity standards during the product development and design stages where none have existed before. (Cal. Civ. Code §1798.91.04) (California IoT Law). The California IoT Law applies to connected devices which are defined to mean any device or physical object that has ability to connect to the internet and has an assigned Internet protocol address or Bluetooth address. This encompasses a wide range of devices from smart doorbells, refrigerators, personal fitness monitors, security cameras, wearables, etc. The definition of connected device is broad enough to even cover devices intended for industrial or other business-to-business purposes. The law also requires that all connected devices sold in California, no matter where they are manufactured, should have "reasonable security features." Those "reasonable security features" should be:
- Appropriate to the nature and function of the device.
- Appropriate to the information it may collect, contain, or transmit.
- Designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.
The California IoT Law does outline some basic security features such as use of preprogrammed passwords that must be unique to each device, and the device must require the user to immediately generate a new means of authentication prior to being granted access to the device configuration settings for the first time. Beyond these measures, the California IoT Law does not provide any additional information on what would constitute "reasonable security features." The California IoT Law does contain certain exemptions for connected devices already subject to security requirements under U.S. Federal laws such as regulated FDA regulated medical devices.
The California IoT Law does not provide for a private right of action rather the law will be enforced by the California Attorney General and city and district attorneys. Furthermore, the law does not specify what types of penalties can be sought, what the maximum penalties are or whether the enforcement authorities must prove actual harm to consumers prior to seeking penalties. Despite these limited enforcement provisions, Californians may have other options to prove injury or harm through IoT devices. Californians who suffer from an IoT data breach could bring a lawsuit under California's unfair and deceptive practices statute. The California Consumer Privacy Act (CCPA), which went into effect Jan. 1, 2020, allows for a private right of action for breaches of unencrypted or un-redacted data caused by a business's failure to implement and maintain reasonable information security practices.
This premium content is locked for Entertainment Law & Finance subscribers only
ENJOY UNLIMITED ACCESS TO THE SINGLE SOURCE OF OBJECTIVE LEGAL ANALYSIS, PRACTICAL INSIGHTS, AND NEWS IN ENTERTAINMENT LAW.
- Stay current on the latest information, rulings, regulations, and trends
- Includes practical, must-have information on copyrights, royalties, AI, and more
- Tap into expert guidance from top entertainment lawyers and experts
Already a have an account? Sign In Now Log In Now
For enterprise-wide or corporate acess, please contact Customer Service at [email protected] or 877-256-2473
Major Differences In UK, U.S. Copyright Laws
This article highlights how copyright law in the United Kingdom differs from U.S. copyright law, and points out differences that may be crucial to entertainment and media businesses familiar with U.S law that are interested in operating in the United Kingdom or under UK law. The article also briefly addresses contrasts in UK and U.S. trademark law.
The Article 8 Opt In
The Article 8 opt-in election adds an additional layer of complexity to the already labyrinthine rules governing perfection of security interests under the UCC. A lender that is unaware of the nuances created by the opt in (may find its security interest vulnerable to being primed by another party that has taken steps to perfect in a superior manner under the circumstances.
Strategy vs. Tactics: Two Sides of a Difficult Coin
With each successive large-scale cyber attack, it is slowly becoming clear that ransomware attacks are targeting the critical infrastructure of the most powerful country on the planet. Understanding the strategy, and tactics of our opponents, as well as the strategy and the tactics we implement as a response are vital to victory.
Removing Restrictive Covenants In New York
In Rockwell v. Despart, the New York Supreme Court, Third Department, recently revisited a recurring question: When may a landowner seek judicial removal of a covenant restricting use of her land?
Legal Possession: What Does It Mean?
Possession of real property is a matter of physical fact. Having the right or legal entitlement to possession is not "possession," possession is "the fact of having or holding property in one's power." That power means having physical dominion and control over the property.