SACRAMENTO—California has become the first state to pass an Internet of things (IoT) cybersecurity law.
California Governor Jerry Brown recently signed SB-327 into law, which addresses information privacy, specifically pertaining to connected devices. The legislation aims to protect consumers of smart home devices against potential privacy risks from unauthorized parties gaining access to user information, Security Baron reported.
The law requires manufacturers of IoT devices to provide “reasonable security features” designed to protect user privacy. The ‘features’ are largely determined by password requirements: Manufacturers must give a unique, pre-programmed password for each device or require users to establish a new means of authentication before the device can be operated for the first time.
A “connected device” is defined in the legislation as “any device, or other physical object that is capable of connecting to the Internet, directly or indirectly, and that is assigned an Internet Protocol address or Bluetooth address.”
Increased Regulations
This would not only increase regulations for general IoT objects like locks and security cameras, but also for more peripheral products such as connected healthcare devices or children’s toys that tend to be more vulnerable to hackers, Security Baron reported.
The SB-327 law will go into effect on Jan. 1, 2020.
“This is the first time that any official regulation of IoT devices has been put in place, marking a starting point for the future of cybersecurity legislation. We will have to see how manufacturers and lawmakers respond as the industry continues to grow,” Security Baron stated.