Legislation aimed at improving the security of devices that are part of the Internet of Things was introduced in the U.S. Senate and House of Representatives this week. The Internet of Things (IoT) Cybersecurity Improvement Act of 2019 would establish standards for federal government agencies that purchase IoT devices for use by the federal government. The proposed law, spearheaded by Senators Mark Warner (D. VA), Cory Gardner (R. CO), Maggie Hassan (D. NH), and Steve Daines (R. MT), would call on the National Institute of Standards and Technology (NIST) to develop standards addressing, at a minimum, secure development, identity management, patching, and configuration of IoT devices. NIST also would provide guidance to the federal government on policies and procedures for the reporting, coordination, publishing, and receipt of information about IoT device security vulnerabilities, and the proper resolution of such vulnerabilities.
In a written statement, Senator Warner explained his intention that “This legislation will use the purchasing power of the federal government to establish some minimum security standards for IoT devices.” Similar federal legislation was introduced in 2017. The 2017 version, however, included specific requirements, e.g., for password management and software updates, which are not present in the 2019 legislation.
California is the first state to pass a cybersecurity law addressing “smart” devices and IoT technology, impacting virtually anything connected to the internet, including smart home devices (e.g., WeMo Smart Plugs, August's Smart Lock, NEST thermostats) and connected appliances. The new law would take effect January 1, 2020.
Security Obligations
California's new law specifies the security obligations of “manufacturers” of connected devices. A manufacturer includes the person who manufactures or contracts with another person to manufacture connected devices sold or offered for sale in California. The law will therefore apply to manufacturers outside of California if their products are sold in California.
Under the new law, a covered manufacturer of a connected device must equip the device with a “reasonable security feature” that is:
- Appropriate to the device’s nature and function
- Appropriate to the information the device may collect, contain, or transmit
- Designed to protect the device and any of its information from unauthorized access, destruction, use, modification, or disclosure.
The phrase “security feature” includes any feature designed to provide security for the device. “Unauthorized access, destruction use, modification, or disclosure” means access, destruction, use, modification, or disclosure that is not authorized by the consumer. If a device is programmed to authenticate outside a local area network, the security feature is deemed to be reasonable if either of these apply:
- The preprogrammed password is unique to each device
- The security feature requires a user to generate a new means of authentication before access is granted to the device for the first time.
Cautionary Items
Although California's new law is sweeping in scope, there are some safeguards and exemptions. For example, there is no private right of action under the statutes, activities regulated by HIPAA are exempt, and manufacturers are not responsible for choices made by the owner/consumer or for the impact of non-affiliated software or apps. In light of the breadth of the law and the specific nature of the exemptions, products liability insurers of manufacturers whose connected devices are or will be sold in California may wish to require insureds to assess which products will be subject to the new law and ensure that “reasonable security features” are in place. Alternatively, development of expanded/reinforced exclusionary language may be advisable.
Query whether more states will follow suit? And query the impact of federal legislation on California’s law and on any other state IoT laws that might be enacted.