Law.com Subscribers SAVE 30%

Call 855-808-4530 or email [email protected] to receive your discount on a new subscription.

Cybersecurity Law & StrategyFeaturesCybersecurityPrivacyRegulationTechnology Media and Telecom

States Take the Lead on Securing IoT

By Ashley Thomas
April 01, 2020

The widespread adoption of Internet-connected devices has shifted from a novelty to a necessity in mainstream culture. Internet connected devices or the Internet of Things (IoT) is a network of physical objects — devices, vehicles, appliances — embedded with sensors, software, and network connectivity, so they can collect, exchange, and act on data, often without human intervention.

As a society, we have become more interested in smart products such as smart home devices, phones, and toys that make life more efficient, convenient and entertaining. Yet, use of IoT devices is not without risks. At the end of last year, Ring camera, owned by Amazon, made news headlines after hackers breached the devices. There were numerous accounts of hackers obtaining access to the cameras and taunting and yelling obscenities at children, and threatening adults for bitcoin ransomware through the cameras. As a result of these hacks, Amazon is now facing a class action lawsuit claiming that the Ring camera security vulnerabilities were a result of Amazon's negligence and that it led to an invasion of privacy. See, John Baker Orange v. Ring LLC and Amazon .Com LLC, No. 2:19-cv-10899 (2019). These incidents were the motivation for the passage of California's new IoT Security Law that went into effect on Jan. 1, 2020.

The California IoT Security Law is the first of its kind in the nation and pushes device manufacturers to adopt cybersecurity standards during the product development and design stages where none have existed before. (Cal. Civ. Code §1798.91.04) (California IoT Law). The California IoT Law applies to connected devices which are defined to mean any device or physical object that has ability to connect to the internet and has an assigned Internet protocol address or Bluetooth address. This encompasses a wide range of devices from smart doorbells, refrigerators, personal fitness monitors, security cameras, wearables, etc. The definition of connected device is broad enough to even cover devices intended for industrial or other business-to-business purposes. The law also requires that all connected devices sold in California, no matter where they are manufactured, should have "reasonable security features." Those "reasonable security features" should be:

  • Appropriate to the nature and function of the device.
  • Appropriate to the information it may collect, contain, or transmit.
  • Designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.

The California IoT Law does outline some basic security features such as use of preprogrammed passwords that must be unique to each device, and the device must require the user to immediately generate a new means of authentication prior to being granted access to the device configuration settings for the first time. Beyond these measures, the California IoT Law does not provide any additional information on what would constitute "reasonable security features." The California IoT Law does contain certain exemptions for connected devices already subject to security requirements under U.S. Federal laws such as regulated FDA regulated medical devices.

The California IoT Law does not provide for a private right of action rather the law will be enforced by the California Attorney General and city and district attorneys. Furthermore, the law does not specify what types of penalties can be sought, what the maximum penalties are or whether the enforcement authorities must prove actual harm to consumers prior to seeking penalties. Despite these limited enforcement provisions, Californians may have other options to prove injury or harm through IoT devices. Californians who suffer from an IoT data breach could bring a lawsuit under California's unfair and deceptive practices statute. The California Consumer Privacy Act (CCPA), which went into effect Jan. 1, 2020, allows for a private right of action for breaches of unencrypted or un-redacted data caused by a business's failure to implement and maintain reasonable information security practices.

Following California's lead, Oregon passed its own IoT law, amending ORS 646.607, which largely mirrors the California IoT Law by requiring that connected device manufacturers equip IoT devices with reasonable security features for devices sold in the state of Oregon. Oregon's law is similar to the one in California in that it uses the same language including "reasonable security features." However, unlike the California IoT Law, the Oregon law is limited to devices primarily used for personal, family or household purposes. The U.S. Congress introduced The IoT Cybersecurity Improvement Act of 2019 which would require that devices purchased by the U.S. government meet certain minimum security requirements. However, it's unlikely such law will pass before the 2020 U.S. general election.

IoT device manufacturers looking for guidance on reasonable security features to implement in the production of their devices should pay close attention to the National Institute of Standards and Technology (NIST)'s Recommendations for IoT Device Manufacturers: Foundational Activities and Core Device Cybersecurity Capability Baseline. The NIST Recommendations are voluntary guidance and non-binding but it provides considerations in assessing privacy and security practices. The Recommendations describe six voluntary activities related to cybersecurity with four activities that a manufacturer can perform before a device is sent out for sale with the remaining two activities that can be performed after the device has hit the market.

  • Identify expected customers and define expected use cases for IoT devices.
  • Research customer cybersecurity goals and how the device will be managed, accessed, and monitored by the customer or other devices.
  • Determine how to address customer goals by having IoT devices provide particular device cybersecurity capabilities in order to help customers mitigate their cybersecurity risks.
  • Plan for adequate support of customer goals by appropriately provisioning device hardware, firmware, software and business resources to support the desired device cybersecurity capabilities.
  • Define approaches for communicating to customers as many customers as many will benefit from manufacturers communicating to them more clearly about cybersecurity risks involving the IoT devices.
  • Decide what to communicate to customers and how to communicate it.

Other states such as Virginia and New York have considered their own IoT laws but none have passed at the time of submission of this article. It will be important for IoT device manufacturers to monitor state law developments as more states considering regulating the security features of IoT devices.

*****

Ashley Thomas is an associate in the cybersecurity and privacy group at Morris, Manning and Martin LLP. She can be reached at [email protected].

|

This premium content is locked for Entertainment Law & Finance subscribers only

  • Stay current on the latest information, rulings, regulations, and trends
  • Includes practical, must-have information on copyrights, royalties, AI, and more
  • Tap into expert guidance from top entertainment lawyers and experts

For enterprise-wide or corporate acess, please contact Customer Service at [email protected] or 877-256-2473

Read These Next
How Secure Is the AI System Your Law Firm Is Using? Image

In a profession where confidentiality is paramount, failing to address AI security concerns could have disastrous consequences. It is vital that law firms and those in related industries ask the right questions about AI security to protect their clients and their reputation.

COVID-19 and Lease Negotiations: Early Termination Provisions Image

During the COVID-19 pandemic, some tenants were able to negotiate termination agreements with their landlords. But even though a landlord may agree to terminate a lease to regain control of a defaulting tenant's space without costly and lengthy litigation, typically a defaulting tenant that otherwise has no contractual right to terminate its lease will be in a much weaker bargaining position with respect to the conditions for termination.

Pleading Importation: ITC Decisions Highlight Need for Adequate Evidentiary Support Image

The International Trade Commission is empowered to block the importation into the United States of products that infringe U.S. intellectual property rights, In the past, the ITC generally instituted investigations without questioning the importation allegations in the complaint, however in several recent cases, the ITC declined to institute an investigation as to certain proposed respondents due to inadequate pleading of importation.

The Power of Your Inner Circle: Turning Friends and Social Contacts Into Business Allies Image

Practical strategies to explore doing business with friends and social contacts in a way that respects relationships and maximizes opportunities.

Authentic Communications Today Increase Success for Value-Driven Clients Image

As the relationship between in-house and outside counsel continues to evolve, lawyers must continue to foster a client-first mindset, offer business-focused solutions, and embrace technology that helps deliver work faster and more efficiently.