"The bill, introduced in the state Senate earlier this month, would require Web-connected device manufacturers to equip devices with reasonable security features and obtain consent to use consumer information."

Manufacturers of Internet-connected devices (better known as the Internet of Things) should be following a new California bill closely because it would create a mandate under California law that all IoT devices have built-in security features appropriate to the device and information collected. California Senate Bill 327, amended in March, is the latest in a trend of legislative and regulatory efforts by state and federal authorities to hold IoT device makers more accountable for consumer data security. The California bill was introduced at nearly the same time the FTC brought an enforcement complaint in federal court in California against a computer networking equipment manufacturer for failing to take reasonable steps to secure its products from hackers.

California’s Senate Bill 327 would go much further than the FTC has in “encouraging” manufacturers to adopt industry best practices for device security by codifying the State of California’s ability to bring enforcement complaints against those companies that do not build adequate security safeguards into their devices. It could be the first legislative mandate for IoT device manufacturers to proactively implement “security by design” (that is, at an early stage, and built into the product development process, rather than added reactively later as a “patch” or as an optional or voluntary industry best practice). Consequently, the requirements under this bill could have a significant R&D and budgetary impact on IoT device development, making what was once a manufacturer’s afterthought a key component at the design and production stages of any IoT device that is produced for sale to consumers in the US market.

If enacted as currently written, the bill would require a manufacturer that sells or offers a connected device “capable of connecting to the Internet, directly or indirectly, or to another connected device” to:

  • Equip the device with reasonable security features appropriate to the nature of the device and the information it collects, contains or transmits
  • Design the device to indicate to the consumer when it is collecting information
  • Obtain consumer consent (presumably through some form of user interface) before the device collects or transmits information
  • Provide an explicit privacy notification to the consumer about what data is collected by the device
  • Directly notify consumers of security patches and updates intended to make the device more secure on an ongoing basis

The bill would also require retailers to provide a short, plainly-written notice of the device’s information collection functions at the point of sale. That notice would need to include statements indicating whether “the device is capable of collecting audio, video, location, biometric, health, or other personal or sensitive consumer information” and where a consumer can find the privacy policy applicable to the device.

A law based on California’s Senate Bill 327 could significantly impact the entire IoT industry and not merely the largest players and products such as the Amazon Echo and Google Home, or connected cars and wearables.  For one thing, California is perhaps the largest commercial market for emerging technology and IoT products and a leading test bed for them, so any California state law governing the security of IoT products will likely be the starting point for security of IoT products sold throughout the US (i.e., the designed security features for the home router sold in California will likely be the same for an identical make/model home router sold in Ohio whatever the differences that may exist under state law). And pressure on the issue is not just coming from California lawmakers.

As we reported recently, the FTC has demonstrated its concern about the security of end users’ use of emerging-market Internet-connected devices, and last month, Google began removing mobile applications that do not meet its User Data Policy mandating adequate privacy and data security policies. In the case of the FTC acting on IoT security, the FTC brought a January 2017 enforcement complaint against a computer networking equipment manufacturer for failing to undertake what the FTC considers reasonable steps needed to secure wireless routers or IP cameras from “widely known and reasonably foreseeable” risks of unauthorized access by failing to proactively address “well-known and easily preventable security flaws.” But the FTC has no rulemaking procedures to set minimum security practices when enforcing promises made by manufacturers to consumers in product brochures, advertising and other public statements. Instead, FTC enforcement actions alleging unfair and deceptive practices under Section 5 of the FTC Act rely on guidance published by the Commission in “Careful Connections: Building Security in the Internet of Things,” as well as industry standards such as those found in the Open Web Application Security Project and those published by the National Institute of Standards and Technology(NIST).

The future of California Senate Bill 327 remains uncertain. Regulatory scrutiny and legislative action addressing the data security of IoT devices, however, is likely to continue to grow, and it is essential that businesses manufacturing or using these IoT devices be prepared for these developments, including being ahead of the curve in implementing reasonable security protections to avoid disruptions to their product sales.