Insights
Publications

What California’s New Security Law Means to Your Business

June 13, 2019 Articles

Commonsense IoT security steps that startups and small business should consider to comply with California’s new law

California recently enacted a new law, Senate Bill 327, that requires companies that make Internet of Things (IoT) devices to incorporate minimum security features for every device. The federal government is also ramping up efforts to regulate IoT security, with everyone from the U.S. Senate to the Commerce Department to the FTC getting involved. Many large companies will already have detailed security and privacy protocols in place for the IoT development processes. But what are some commonsense, inexpensive steps that entrepreneurs, startups, and smaller companies can take in response to California’s new law and possible federal action in the near future?

It’s worth knowing that the California law is vague—intentionally so, it turns out. SB 327 requires manufacturers of any device that’s “capable of connecting to the internet, directly or indirectly, and that is assigned an Internet Protocol address or Bluetooth address” to have “a reasonable security feature or features” designed to prevent unauthorized users from accessing the device. Cal. Civ. Code, section 1798.91.04(a) (full text available here). The law also sets minimum password requirements for any device capable of authentication outside a local area network (LAN). For those devices, a security feature is deemed “reasonable” if there is either (1) a pre-programmed password that is different for each device (as opposed to, say, a pre-set password common to an entire batch or line of devices), or (2) the device requires the user to create a new password before the user can access the device for the first time. See section 1798.91.04(b). One last word about the basics of this new law: it doesn’t kick in until January 1, 2020, so there’s some time to put measures in place to comply with it.

Beyond these minimum password requirements, what’s a “reasonable security feature?” The law doesn’t really say, and that’s intentional. The legislative history behind the law strongly suggests that the author, State Senator Hannah-Beth Jackson, intended to leave it up to industry to define what’s reasonable. For example, Senator Jackson testified before the Assembly Appropriations Committee on August 15, 2018 that the bill “gives industry wide latitude in determining what precise security measures are needed for each particular device” in light of the “ever changing landscape of cybersecurity.”

Legislators at the federal level are also showing increasing interest in IoT security and privacy issues, but they also seem to be struggling to legislate in an area where new kinds of threats arise seemingly every day. What might be good security today could be outdated in days or weeks. For example, in a 2015 study, the FTC (like the California law) simply threw the issue back onto the business community, concluding that there should be “further self-regulatory efforts on IoT” (emphasis added, see the full FTC report here). More recently, as GeekWire reported here, Representative Suzan DelBene, the co-founder of the Congressional Caucus on the Internet of Things, remarked at an industry conference on the challenge of passing a law “given how much things are changing.”

A bipartisan group of U.S. Senators is also working on an updated version of legislation on standards for IoT security called the Internet of Things Cybersecurity Improvement Act. This shows continued interest in this area at the federal level, but these senators also seem keenly aware that it’s hard to legislate cutting edge technology. Some of the authors had previously proposed similar legislation that actually required certain password and software updating features, but the current bill merely calls on the National Institute of Standards and Technology to make recommendations that could be the baseline for federal IoT purchases in the future (see a description of the original bill here and the current one here). Similarly, the SMART IoT Act, which passed the House in November 2018, merely directed the Commerce Department to conduct research into potential IoT security measures.

So, for the time being at least, industry is setting the pace on this subject. What does that mean for small business and startups wondering how to comply? Based on our discussions and counseling with companies in the IoT business, the following four measures seem to be commonsense steps that businesses of any size can implement:

  1. Make cybersecurity part of your design and product launch protocols so that it is considered up front, even for updates;
  2. Comply with reasonable password requirements, such as those set forth in the California legislation;
  3. Ensure all devices can be automatically patched when security vulnerabilities are identified; and
  4. Consider how your device’s interaction with third-party devices and software might expose new vulnerabilities.

Until industry can agree on a standard or legislators find a way to enact flexible laws to address these threats, instituting a deliberate protocol for considering IoT cybersecurity that includes at least these steps may be the best defense.

Alex Reese is a senior associate at Farella Braun + Martel, a leading Northern California law firm. He helps individuals and companies of all sizes resolve disputes involving technology and issues of unfair competition. @FarellaBraun

Firm Highlights

News

Chambers USA 2024 Recognizes Farella Braun + Martel Lawyers, Practices

Farella Braun + Martel is pleased to announce that Chambers USA has recognized 16 lawyers and six practice areas in the legal directory’s 2024 edition. Individual California and Western U.S. Rankings: Sarah Bell &ndash...

Read More
News

Farella Lawyers Recognized as 2024 IP STARS by Managing Intellectual Property

Farella Braun + Martel is pleased to announce that  Managing Intellectual Property has recognized partners Daniel Callaway , James Day , Jeffrey Fisher , Winston Liaw , and Eugene Mar in the 2024 edition of...

Read More
News

Scraping Battles: Meta Loses Legal Effort to Halt Harvesting of Personal Profiles

Alex Reese spoke to Matt Fleischer-Black of  Cybersecurity Law Report about the Meta v. Bright Data decision and its impact on U.S. scraping case law. Read the article here (paywall or trial).

Read More
Publication

Hsu Untied Interview With Dan Callaway

Dan Callaway, a partner specializing in intellectual property litigation, was a guest on Hsu Untied , an award-winning podcast hosted and produced by Richard Hsu featuring entrepreneurs, venture capitalists, best-selling authors, and more.  During...

Read More
News

JPMorgan Chase Accuses TransUnion of Stealing 'Trade Secrets'

Intellectual property practice chair Eugene Mar provided expert commentary to American Banker for the article "JPMorgan Chase Accuses TransUnion of Stealing 'Trade Secrets'." In the article, he said: "By filing this as a trade...

Read More
Publication

Major Decision Affects Law of Scraping and Online Data Collection, Meta Platforms v. Bright Data

On January 23, 2024, the court in Meta Platforms Inc. v. Bright Data Ltd. , Case No. 3:23-cv-00077-EMC (N.D. Cal.), issued a summary judgment ruling with potentially wide-ranging ramifications for the law of scraping and...

Read More
Publication

Will the Supreme Court Limit Copyright Damages? Implications of Warner Chappell Music, Inc. et al. v. Sherman Nealy et al.

The U.S. Supreme Court heard oral arguments in Warner Chappell Music, Inc. et al. v. Sherman Nealy et al. (Case No. 22-1078) on February 21, 2024. On the surface, the case presents the opportunity...

Read More
Publication

No Three-Year Bar on Copyright Damages (For Now): SCOTUS Issues Opinion in Warner Chappell Music, Inc. et al. v. Sherman Nealy et al.

In a 6-3 majority decision in Warner Chappell Music, Inc. et al. v. Sherman Nealy et al. , the Supreme Court held that the Copyright Act entitles a copyright owner to recover damages for any...

Read More
Publication

7 Ways Companies and Content Creators Can Navigate Copyright Law for a Successful Partnership

In recent years, the advent of the social media “influencer” has revolutionized advertising. Companies often partner with influencers to market their products, hoping to tap into the influencer’s devoted audience. Likewise, influencers create certain content...

Read More
Publication

Copyright Law for Influencers and Brands: How Content Creators and Companies Hiring Them Can Navigate Copyright Law for a Successful Partnership

In recent years, the advent of the social media “influencer” has revolutionized advertising. Companies often partner with influencers to market their products, hoping to tap into the influencer’s devoted audience. Likewise, influencers create certain content...

Read More