Call 855-808-4530 or email [email protected] to receive your discount on a new subscription.
The widespread adoption of Internet-connected devices has shifted from a novelty to a necessity in mainstream culture. Internet connected devices or the Internet of Things (IoT) is a network of physical objects — devices, vehicles, appliances — embedded with sensors, software, and network connectivity, so they can collect, exchange, and act on data, often without human intervention.
As a society, we have become more interested in smart products such as smart home devices, phones, and toys that make life more efficient, convenient and entertaining. Yet, use of IoT devices is not without risks. At the end of last year, Ring camera, owned by Amazon, made news headlines after hackers breached the devices. There were numerous accounts of hackers obtaining access to the cameras and taunting and yelling obscenities at children, and threatening adults for bitcoin ransomware through the cameras. As a result of these hacks, Amazon is now facing a class action lawsuit claiming that the Ring camera security vulnerabilities were a result of Amazon's negligence and that it led to an invasion of privacy. See, John Baker Orange v. Ring LLC and Amazon .Com LLC, No. 2:19-cv-10899 (2019). These incidents were the motivation for the passage of California's new IoT Security Law that went into effect on Jan. 1, 2020.
The California IoT Security Law is the first of its kind in the nation and pushes device manufacturers to adopt cybersecurity standards during the product development and design stages where none have existed before. (Cal. Civ. Code §1798.91.04) (California IoT Law). The California IoT Law applies to connected devices which are defined to mean any device or physical object that has ability to connect to the internet and has an assigned Internet protocol address or Bluetooth address. This encompasses a wide range of devices from smart doorbells, refrigerators, personal fitness monitors, security cameras, wearables, etc. The definition of connected device is broad enough to even cover devices intended for industrial or other business-to-business purposes. The law also requires that all connected devices sold in California, no matter where they are manufactured, should have "reasonable security features." Those "reasonable security features" should be:
The California IoT Law does outline some basic security features such as use of preprogrammed passwords that must be unique to each device, and the device must require the user to immediately generate a new means of authentication prior to being granted access to the device configuration settings for the first time. Beyond these measures, the California IoT Law does not provide any additional information on what would constitute "reasonable security features." The California IoT Law does contain certain exemptions for connected devices already subject to security requirements under U.S. Federal laws such as regulated FDA regulated medical devices.
The California IoT Law does not provide for a private right of action rather the law will be enforced by the California Attorney General and city and district attorneys. Furthermore, the law does not specify what types of penalties can be sought, what the maximum penalties are or whether the enforcement authorities must prove actual harm to consumers prior to seeking penalties. Despite these limited enforcement provisions, Californians may have other options to prove injury or harm through IoT devices. Californians who suffer from an IoT data breach could bring a lawsuit under California's unfair and deceptive practices statute. The California Consumer Privacy Act (CCPA), which went into effect Jan. 1, 2020, allows for a private right of action for breaches of unencrypted or un-redacted data caused by a business's failure to implement and maintain reasonable information security practices.
Following California's lead, Oregon passed its own IoT law, amending ORS 646.607, which largely mirrors the California IoT Law by requiring that connected device manufacturers equip IoT devices with reasonable security features for devices sold in the state of Oregon. Oregon's law is similar to the one in California in that it uses the same language including "reasonable security features." However, unlike the California IoT Law, the Oregon law is limited to devices primarily used for personal, family or household purposes. The U.S. Congress introduced The IoT Cybersecurity Improvement Act of 2019 which would require that devices purchased by the U.S. government meet certain minimum security requirements. However, it's unlikely such law will pass before the 2020 U.S. general election.
IoT device manufacturers looking for guidance on reasonable security features to implement in the production of their devices should pay close attention to the National Institute of Standards and Technology (NIST)'s Recommendations for IoT Device Manufacturers: Foundational Activities and Core Device Cybersecurity Capability Baseline. The NIST Recommendations are voluntary guidance and non-binding but it provides considerations in assessing privacy and security practices. The Recommendations describe six voluntary activities related to cybersecurity with four activities that a manufacturer can perform before a device is sent out for sale with the remaining two activities that can be performed after the device has hit the market.
Other states such as Virginia and New York have considered their own IoT laws but none have passed at the time of submission of this article. It will be important for IoT device manufacturers to monitor state law developments as more states considering regulating the security features of IoT devices.
*****
Ashley Thomas is an associate in the cybersecurity and privacy group at Morris, Manning and Martin LLP. She can be reached at [email protected].
|ENJOY UNLIMITED ACCESS TO THE SINGLE SOURCE OF OBJECTIVE LEGAL ANALYSIS, PRACTICAL INSIGHTS, AND NEWS IN ENTERTAINMENT LAW.
Already a have an account? Sign In Now Log In Now
For enterprise-wide or corporate acess, please contact Customer Service at [email protected] or 877-256-2473
In June 2024, the First Department decided Huguenot LLC v. Megalith Capital Group Fund I, L.P., which resolved a question of liability for a group of condominium apartment buyers and in so doing, touched on a wide range of issues about how contracts can obligate purchasers of real property.
With each successive large-scale cyber attack, it is slowly becoming clear that ransomware attacks are targeting the critical infrastructure of the most powerful country on the planet. Understanding the strategy, and tactics of our opponents, as well as the strategy and the tactics we implement as a response are vital to victory.
Latham & Watkins helped the largest U.S. commercial real estate research company prevail in a breach-of-contract dispute in District of Columbia federal court.
The Article 8 opt-in election adds an additional layer of complexity to the already labyrinthine rules governing perfection of security interests under the UCC. A lender that is unaware of the nuances created by the opt in (may find its security interest vulnerable to being primed by another party that has taken steps to perfect in a superior manner under the circumstances.