Do you know what is SB 327 or California IoT law? Well, SB 327 is a bill signed by California’s Governor Jerry Brown which is a bill governing the law for Internet of Things (IoT). This is a first-of-its-kind bill, and signing this SB 327 bill makes California the first state in the USA to adopt such legislation. The law states and mandates that any and all makers of Internet-connected or “smart” devices should ensure these gadgets have “reasonable” security features which “protect the device and any information contained therein from all sorts of unauthorized access, destruction, use, modification or disclosure.” This law will go into effect on Jan. 1, 2020.
There is a 15-month delay before the California IoT law gets implemented. This delay is designed to hold the IoT manufacturers accountable without suppressing innovation on their part. And, just a few weeks after the SB 327 was signed, the UK government is also seeking to secure the smart gadgets and has released a new voluntary Code of Practice (CoP) for consumer IoT devices. A few companies in the UK like HP Inc. and Centrica Hive Ltd. have already committed to the implementation of CoP by 2021.
California’s new IoT law or SB 327 does not clearly state what constitutes a “reasonable” security feature, but it does specify that any such feature must be:
• Should be appropriate to nature and function of the device
• Should be appropriate to the information the device may collect, contain, or transmit and,
• Should be designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.
However, in some cases, the manufacturer-provided password which is unique to each device may satisfy the “reasonable security” requirement. It has been a common practice by manufacturers to provide devices with shared default passwords, which means that after installation if the end-user doesn’t change the passwords, anyone will be able to easily access the device. While some of the U.S. federal agencies viz. the Department of Homeland Security & Department of Commerce have already provided guidance on how to manage the security of these devices and improve transparency for consumers, the state governments are yet to engage in IoT’s cybersecurity.
Exclusions from SB 327
It won’t be necessary for the device manufacturers to meet the law’s requirements in all the situations. Moreover, the manufacturers are not liable to secure any unaffiliated software programs that users may choose to install on their connected devices. In addition, there are exceptions relating to, among other things, law enforcement activities, health-care providers, devices regulated by federal law or regulations, and firmware updates that the manufacturer may wish to install.
The law has no private right of action. But, the Attorney General, city attorney, county counsel, or a district attorney will have the right to enforce the law.
California continues to lead in the USA when it comes to enacting privacy and security laws. This IoT law comes just after the recent enactment of the California Consumer Privacy Act (CCPA), which also goes into effect on January 1, 2020. Like the CCPA, this SB 327 law has an extraterritorial reach—impacting businesses located inside and outside of California. In such cases, as long as the manufacturers sell Internet-connected devices in California, they will be required to meet the law’s requirements unless any sort of exclusion applies.