California Passes Bill Requiring Reasonable Security Features for Connected Devices

Alysa Hutnik
Kelley Drye & Warren LLP
Contact
LinkedIn
Facebook
X
Send
Embed

The California legislature passed SB-327, a bill intended to regulate the security of internet-connected devices.  Unlike the California Consumer Privacy Act (CCPA), SB-327 is significantly more narrow.  As enacted, the bill is a “lighter” version of what was first introduced and amended in 2017 (which, at that time, would have included certain disclosure and consent requirements for connected devices).

At its core, SB-327 requires connected devices to be equipped with “reasonable security features” that are:

  1. appropriate to the nature and function of the device;
  2. appropriate to the information it may collect, contain, or transmit; and
  3. designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.

Subject to the above, if a connected device is equipped with a means for authentication outside a local area network, this is considered a “reasonable security feature” if either: (a) the preprogrammed password is unique to each device manufactured; or (b) the device contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time. These requirements, of course, are in addition to any duties or obligations imposed under other laws (i.e., CCPA).

The term “connected device” is defined as “any device, or other physical object that is capable of connecting to the Internet, directly or indirectly, and that is assigned an Internet Protocol address or Bluetooth address.” Pretty much every device connected to the Internet is assigned either an IP address or Bluetooth address when it is connected. This can include, for example, anything from computers, tablets, and mobile devices, to smart watches, smart home hubs, or app-controlled toys.

The bill does not provide a private right of action. Only the Attorney General, a city attorney, a county counsel, or a district attorney can enforce the law, and the bill does not address (either directly or by implication) any specific penalties or remedies that may be sought by these entities. However, it’s possible that we see the requirement to implement reasonable security measures asserted as a basis for a legal duty in conjunction with other claims (either by the AG or consumers).

If signed by Governor Brown, the law would become effective on January 1, 2020 (same day as the CCPA).

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Kelley Drye & Warren LLP | Attorney Advertising

Written by:

Kelley Drye & Warren LLP
Kelley Drye & Warren LLP
Contact
more
less

Kelley Drye & Warren LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide