California's IoT Security Law: Why it Matters & the Meaning of 'Reasonable Cybersecurity'
Over the last several years, the internet of things (IoT) has not only come to pervade our home life, but our work life as well. A smart thermostat adjusts office temperatures based on changes in the weather, and the vending machine in the hall issues an alert when it needs to be refilled. Yet the increase in comfort and ease does not offset the massive risk these devices still pose to the security of an organization.
California has taken steps to reduce this risk, and on January 1, 2020, the state’s new IoT Security Law will go into effect, which is the first of its kind, not only in California, but in the entire U.S. It mandates that all IoT devices sold in the state must also have “reasonable cybersecurity measures” embedded. Yet the question remains: What is reasonable?
What does the law cover?
Before we answer that question, however, let’s first take a look at what the law covers, which is any connected device, defined as “any device, or other physical object that is capable of connecting to the Internet, directly or indirectly, and that is assigned an Internet Protocol address or Bluetooth address.” This is a broad definition that could include everything from computers and copy machines to smart TVs and personal fitness monitors.
That list is only going to grow with time. Anything that can be connected will be connected, and the notion of a “connected device” will soon mean just about everything and anything. For businesses in California, that’s going to make it a lot harder to determine whether the devices they’re using fall within the confines of the law.
What is a reasonable security feature?
According to the law, a reasonable security feature must be “appropriate to the nature and function of the device, appropriate to the information it may collect, contain, or transmit, and designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure, as specified.”
The law is specific about security as it relates to authentication for devices outside a local area network, stating that “the preprogrammed password is unique to each device manufactured” and “the device contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time.”
As you can see, guidance included as part of the law is specific to authentication, and it remains vague regarding other reasonable cybersecurity measures that are necessary beyond password management. However, companies can look to prior guidance for clarity, which defines compliance with the 20 security controls in the CIS Critical Security Controls for Effective Cyber Defense as the “floor” for reasonable cybersecurity and data protection.
The CIS Critical Security Controls are often seen as the gold standard for security defense and include “Inventory and Control of Software Assets,” “Email and Web Browser Protections,” “Implement a Security Awareness and Training Program,” “Application Software Security,” and 15 other controls. As you can gather, the “floor” sets a pretty high bar, but it still raises some important questions. What, for instance, are email and web browser protections as it relates to IoT devices? And how would an organization go about implementing security awareness and training programs for a smart refrigerator? Or what red team exercises would a security team conduct on a pellet stove?
What are the penalties for noncompliance?
The short answer: We don’t know. Luckily for organizations worried about noncompliance, the law:
• Does not allow private parties to sue under California law. Instead, enforcement is delegated “exclusively to the California Attorney General, city attorneys, county counsels, and district attorneys.”
• Does not specify what types of penalties officials can seek for violations, what the maximum penalties are or whether officials must prove that actual harm to consumers has occurred before seeking penalties.
Although the idea to require manufacturers to provide reasonable cybersecurity for IoT devices sold in California is noble, the new law lacks clarity surrounding the finer details. Much of the guidance included is written for general security measures not specific to IoT devices, making some of the requirements nearly impossible to comply with. It also provides little to no specificity on the types of penalties that can result from an offense, what the maximum penalties are or if harm to consumers must be proven to seek such undefined penalties.
The law may be the first of its kind, but it certainly won’t be the last. As the adoption of IoT devices in the workplace continues, I anticipate additional states will issue similar guidance with regard to security controls, and there’s plenty of room for improvement. Device manufacturers should take note that there will be more thorough legislation covering device security and should plan ahead to address the spirit of the legislation, even if this bill misses the mark.
This article was written by Dean Sysman and originally appeared in Forbes.
Take Back Your Day
Learn how the latest technologies can free up your time so you can focus on your business