Ah, the Internet of Things – where some random dude could get access to your child’s vitals, know who is coming into and out of your house and know how you like your laundry. The Internet of Things has been fought with perils including the 2016 attack which used these devices to shut down websites such as Etsy, GitHub, Netflix, Spotify and others. So why are these devices so perilous? The average device has 25 security flaws, including poor password controls, unsecured maintenance practices and poorly implemented security features and updates. Taking all of this into account it is clear that someone needs to do something. But who?

Enter the California legislature and Assembly Bill 1906. Approved by California’s Governor on September 28, 2018 and coming into effect on January 1, 2020, California’s new law governs the manufacture and security of IoT devices. In particular, the law requires a manufacturer of the device to equip the device with reasonable security features, which are as follows:

(1) Appropriate to the nature and function of the device;

(2) Appropriate to the information it may collect, contain or transmit; and

(3) Designed to protect the device and any information contained on the device from unauthorized access, destruction, use, modification or disclosure.

In addition to the requirements above, if the device has a means for authentication outside of the local network, the “reasonable security measure” standard can be met either by pre-equipping the device with a random password or requiring the user to change the password before they can use the device.

While California is at the forefront of data privacy and security and we certainly appreciate the effort, the law leaves much to be desired. First, it allows the manufacturer to decide what is a “reasonable security measure”, which will lead to an inconsistent and low standard in the industry. Furthermore, the use of the word “reasonable” is likely to lead to highly contested litigation. Lastly, while there are a multitude of flaws on IoT devices, the one enumerated standard in the law is password requirements, which, although helpful in increasing security, does not address all of the security flaws that can and will be exploited by hackers.

Finally, this law does not create a right for people to sue but instead relies on the Attorney General to enforce the law. The law also does not provide for the amount of penalties that a company could face which could lead to higher rates of non-compliance. Either way, this is an interesting new regulation that at least attempts to put a stop to the security-lax Internet of Things and provides a starting point for other states which will hopefully follow the initiative. Also, the Attorney General will hopefully release some additional guidance on compliance with this new measure. Regardless of this new law, consumers should always question the security and privacy practices of anything they use or bring into their homes that is connected. Manufacturers should also invest more time and resources into respecting the rights of their customers. I have to go, my laundry machine just pinged me that it’s done.

Protect yo’ self,

Team Termageddon