Skip to content

Brought to you by

Dentons logo

Privacy and Cybersecurity Law

Coverage and commentary on developments in data protection.

open menu close menu

Privacy and Cybersecurity Law

  • Home
  • About Us

California Passes First Of Its Kind IoT Cybersecurity Law

By Peter Stockburger
November 6, 2018
  • Consumer Protection
  • Data Breach
  • Enforcement
  • New and Proposed Laws
  • United States
Share on Facebook Share on Twitter Share via email Share on LinkedIn

California recently became the first state in the union to pass a cybersecurity law addressing “smart” devices and Internet of Things (IoT) technology. The term IoT generally refers to anything connected to the internet, including smart home devices (e.g., Amazon’s Alexa, NEST thermostats, etc.). The new bill, SB-327, was introduced last year, passed the Senate in late August, was signed by the governor in September, and will go into effect January 1, 2020.

Below is a summary of California’s new law and some takeaways for IoT device manufacturers as they move toward January 1, 2020 compliance.

Core Security Obligation

The new law addresses the security obligations of “manufacturers” of connected devices. “Manufacturer” is defined under the new law as “the person who manufacturers, or contracts with another person to manufacture on the person’s behalf, connected devices that are sold or offered for sale in California.” (Civ. Code § 1798.91.05(c)) The new law therefore impacts manufacturers outside of California.

Under the new law, a covered “manufacturer” of a connected device must equip the device with a “reasonable security feature or features” that are:

  • “Appropriate to the nature and function of the device[;]”
  • “Appropriate to the information it may collect, contain, or transmit[;]” and
  • “Designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.” (Civ. Code § 1798.91.04(a)(2)-(3))

The phrase “security feature” is defined as a “feature of a device designed to provide security for that device.” (Civ. Code § 1798.91.05(d)) The phrase “unauthorized access, destruction use, modification, or disclosure” is defined to mean “access, destruction, use, modification, or disclosure that is not authorized by the consumer.” (Civ. Code § 1798.91.05(e))

If the device is equipped with a “means for authentication outside a local area network, it shall be deemed a reasonable security feature” if either of the following security requirements are met:

  • The reprogrammed password is unique to each device manufactured[;] or
  • The device contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time. (Civ. Code § 1798.91.04(b)(1)-(2))

Takeaways

  • Manufacturers Are Not Responsible For User Choices Or Third Party App Providers The new law makes clear that a covered manufacturer will not be responsible for unaffiliated third-party software or applications that a user chooses to add to a connected device. (Civ. Code § 1798.91.06(a)) Manufacturers are also not required to prevent a user from having full control over a connected device, including the ability to modify the software or firmware running on the device at the user’s discretion. (Civ. Code § 1798.91.06(c)) Finally, the law imposes no obligations on the provider of any “electronic store, gateway, marketplace, or other means of purchasing or downloading software or applications[.]” (Civ. Code § 1798.91.06(b))
  • Medical Devices Are Likely Excluded The new law states that it does not apply to any connected device the functionality of which is subject to security requirements under federal law, regulations, or guidance promulgated by a federal agency pursuant to its regulatory enforcement authority. (Civ. Code § 1798.91.06(d)) This would ostensibly include connected medical devices that are regulated by the U.S. Food and Drug Administration (FDA). Since 2014, the FDA has issued guidance governing the cybersecurity requirements for regulated medical devices.
  • No Private Right of Action The new law makes clear that there will be no private right of action. “The Attorney General, a city attorney, a county counsel, or a district attorney shall have the exclusive authority to enforce this title.” (Civ. Code § 1798.91.06(e))
  • HIPAA Exception The new law excludes a covered entity, provider of health care, business associate, health care service plan, contractor, employer, or any other person subject to HIPAA or the Confidentiality of Medical Information Act with “respect to any activity regulated by those acts.” (Civ. Code § 1798.91.06(h))
  • Risk Assessments Are Key As with most new cybersecurity laws, the most prudent course of action until the law enters into effect is to conduct a risk assessment of current products subject to the law, and to determine what security measures are in place. These security measures can be measured against appropriate industry standards, including the cybersecurity frameworks promulgated by the National Institute for Standards and Technology (NIST) and the International Standards Organization (ISO). Until there is more enforcement guidance or action taken with respect to this new law, or until the new law is amended before its January 1, 2010 enforcement date, what will be deemed “appropriate” under the new law remains an open question.

Dentons is the world’s largest law firm, a leader on the Acritas Global Elite Brand Index, a BTI Client Service 30 Award winner, and recognized by prominent business and legal publications for its innovations in client service, including founding Nextlaw Labs and the Nextlaw Global Referral Network. The Dentons Privacy and Cybersecurity Group operates at the intersection of technology and law, and has been singled out as one of the law firms best at cybersecurity by corporate counsel, according to BTI Consulting Group.  

Share on Facebook Share on Twitter Share via email Share on LinkedIn
Subscribe and stay updated
Receive our latest blog posts by email.
Stay in Touch
Peter Stockburger

About Peter Stockburger

Peter Stockburger is a partner at Dentons, and is a member of the Firm’s global Employment, Intelligence and Strategic Services, and Data Privacy groups. Peter’s practice focuses on the unique intersection between cybersecurity, data privacy, employment law and complex commercial litigation.

All posts Full bio

RELATED POSTS

  • Consumer Protection
  • Data Breach
  • Employee Privacy
  • Enforcement
  • Health Information Privacy
  • New and Proposed Laws
  • Privacy Rights
  • United States

The Good, Bad, And The Ugly: Key Takeaways From California’s New Privacy Law

By Peter Stockburger
  • Data Transfers
  • Europe
  • United Kingdom
  • United States

International data transfers in the post-Schrems II reality

By Todd Daubert, Simon Elliott, Marc Elshof, Nick Graham, Tatiana Kruse, Giangiacomo Olivi, and Christian Schefold
  • New and Proposed Laws
  • Privacy Rights

Leveson: Proposals for New Data Privacy rules in the UK

The Leveson Inquiry recently published its findings into UK press regulation. However Leveson also commented on the UK data privacy […]

By Nick Graham

About Dentons

Dentons is designed to be different. As the world’s largest law firm with 20,000 professionals in over 200 locations in more than 80 countries, we can help you grow, protect, operate and finance your business. Our polycentric and purpose-driven approach, together with our commitment to inclusion, diversity, equity and ESG, ensures we challenge the status quo to stay focused on what matters most to you. www.dentons.com

Dentons boilerplate image

Twitter

Categories

  • Accountability
  • Asia Pacific
  • Canada
  • Cloud Computing
  • Consumer Protection
  • Cybersecurity
  • Data Breach
  • Data Transfers
  • Employee Privacy
  • Enforcement
  • Europe
  • General
  • Government Information
  • Health Information Privacy
  • Latin America
  • Marketing, Cookies & Spam
  • New and Proposed Laws
  • Privacy Notices
  • Privacy Rights
  • Record Retention
  • Smart Cities
  • United Kingdom
  • United States

Subscribe and stay updated

Receive our latest blog posts by email.

Stay in Touch

Dentons logo

© 2022 Dentons

  • Legal notices
  • Privacy policy
  • Terms of use
  • Cookies on this site