California will likely become the first state to regulate the security of internet-connected devices with a narrowly-written senate bill, SB-327, and an identical house bill, AB 1906 (collectively “the Bill”). If signed into law, the Bill would require that a manufacturer of a “connected device” must equip the device with “reasonable security feature(s)” that are “appropriate” to its nature and function and designed to protect it and the information it may collect, contain, or transmit. The Bill does not specify what is “reasonable” or “appropriate,” but provides “safe harbors” that will satisfy the tests.
The Bill, which is the first legislation of its kind in the U.S., was approved by the California Assembly and Senate last month and is now waiting for Governor Jerry Brown's final approval. He is expected to approve it and, if he does, the law will go into effect on January 1, 2020, and will be codified at Civil Code §§ 1798.91.04-06.
A “connected device” is defined as “any device, or other physical object that is capable of connecting to the Internet, directly or indirectly, and that is assigned an Internet Protocol address or Bluetooth address.” From device manufacturers’ perspectives, the Bill is vague as to what security features are “appropriate” and “reasonable,” and therefore enforcement is unpredictable, making compliance assessments very difficult. However, the Bill provides a clear path to presumed compliance, providing:
“[I]f a connected device is equipped with a means for authentication outside a local area network, it shall be deemed a reasonable security feature under subdivision (a) if either of the following requirements are met:
(1) The preprogrammed password is unique to each device manufactured.
(2) The device contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time.”
Accordingly, after the device’s initial use, users can set their passwords and features as they wish. The Bill explicitly provides that it is not intended to impose any duty on device manufacturers to “prevent a user from having full control over a connected device, including the ability to modify the software or firmware running on the device at the user’s discretion.” Thus, the Bill offers manufacturers in the industry specificity and simplicity and expressly relieves them of any duty to monitor users to ensure ongoing use of the security features.
The law does not apply to entities or persons already subject to the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA) (Public Law 104-191) or the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1).
Furthermore, the Bill expressly states that it shall not be construed to provide a basis for a private right of action and can only be enforced by the Attorney General or a city, county, or district attorney. The Bill is silent as to any specific penalties or remedies that may be sought by the enforcement authorities, and enforcement may take the form of injunctive relief. Additionally, although there is no direct private right of action, consumers potentially could claim that the Bill’s requirements form the basis of a legal duty in connection with other claims, such as under state laws regulating deceptive trade practices or in tort cases.
Because the Bill does not define the key terms of what are “reasonable” and “appropriate” security features, it remains to be seen how the Attorney General or city, county, and/or district attorneys, and ultimately the courts, decide to interpret those key terms. In addition, we also will have to wait and see how the enforcement authorities decide to exercise their discretion to bring enforcement actions based on the relative severity of violations and potential for causing harm. In any event, we can expect the Bill if enacted to serve as a model or at least a trigger for future regulation of connected devices.
