[co-author: Karen Shin]*

On September 28, Governor Jerry Brown approved California Senate Bill 327, making California the first state in the country to regulate the security of Internet of Things (IoT) devices. SB 327 is a first-of-its kind bill focused on the security features of IoT devices, such as the smart watches, smart appliances and other “smart” gadgets that have found their way into most American homes. These devices have been utilized in the past to launch cyberattacks, including the massive distributed denial of service attack in October 2016 that shut down internet access for a large part of the eastern United States.

SB 327 would require a manufacturer of any “connected device” to equip the device with “reasonable” security feature(s) to protect personal information from unauthorized access, destruction, use, modification or disclosure. The bill defines “connected device” to include devices or any other physical objects that can directly or indirectly connect to the internet and are assigned IP or Bluetooth addresses. However, the bill does not apply to those connected devices subject to security requirements under federal law, regulations or guidance promulgated by a federal agency. For example, FDA-regulated medical devices that are the subject of both premarket submission and postmarket guidance would presumably be exempt from SB 327 requirements.

SB 327 does not specify exactly what security feature(s) are reasonable. Rather, the bill takes a risk-based approach that requires the security feature(s) to be appropriate to the nature and function of the device; appropriate to the information the device may collect, contain or transmit; and designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification or disclosure. As a result, industry self-regulatory guidelines and guidance from agencies such as the National Institute for Standards and Technology (NIST) will help inform what security features are reasonable. NIST has draft guidance currently available for public comment that includes specific recommendations for addressing privacy and security risk mitigation challenges particular to IoT devices. Additionally, SB 327 specifies that, if a connected device can authenticate outside a local area network, a reasonable security feature is one that either gives a preprogrammed password that is unique to each device manufactured or requires the user to create a new password before using the device for the first time. The bill also requires manufacturers of a connected device to give users full access to the device, including the ability to modify software or run firmware on it.

The bill is applicable to manufacturers of connected devices sold or offered for sale in California (or any entity that contracts with others to manufacture products on its behalf). The bill exempts unaffiliated third-party software or applications that a user chooses to add to a connected device; providers of an electronic store, gateway, marketplace or other means of purchasing or downloading software or applications; and entities or individuals subject to HIPAA or the Confidentiality of Medical Information Act with respect to any activity regulated by those acts.

The California attorney general, county counsel and district attorneys will enforce the bill, which does not create a private right of action. However, the bill does allows law enforcement agencies to obtain connected device information from a manufacturer as authorized by law or court order. The bill will come into effect on January 1, 2020.

Pepper Points

• Businesses should familiarize themselves with industry standards and applicable guidance relating to IoT device security, and businesses subject to compliance with the bill should begin taking steps now to build “security by design” into the manufacturing processes for the IoT devices they create.

• Manufacturers subject to the bill will also need to consider how to deal with postmarket security issues, such as patching vulnerabilities with software updates.

• Businesses based outside California that sell into the state should also prepare to comply with SB 327.

Coming on the heels of California’s Consumer Privacy Act, which was passed earlier this year (Pepper’s article is available here), SB 327 marks a continuing trend of nationwide regulatory focus on cybersecurity and personal data privacy. We expect that there will be many more developments at the state level between now and 2020. Several federal bills related specifically to IoT devices are also making their way through Congress (such as the Smart IoT Act, the Securing IoT Act of 2017 and the IoT Consumer TIPS Act of 2017). Pepper will continue to monitor developments in this evolving area.