In September 2019, California signed Senate Bill 327, also known as the California Internet of Things (IoT) Security Law. While not an extensively written piece of legislation like the California Consumer Privacy Act (CCPA), SB-327 took effect on January 1, 2020, and focuses on manufacturers of connected devices—requiring updated security standards that protect both devices and end-users.
Learn how UpGuard can help your organization update security standards and monitor risk >
The California IoT Security Law, Explained
California has been at the forefront of developing standards around IoT devices, starting with the 2017 Internet of Things Cybersecurity Improvement Act. This marked the first state in the U.S. to adopt an IoT-specific cybersecurity law. SB-327 builds upon that foundation, with detailed provisions meant to enhance device security in any product that connects to the internet.
Key Provisions
The two main provisions of SB-327 explain that manufacturers must equip devices with reasonable security features and unique passwords or security measures.
- Reasonable Security Features: These requirements protect the device and prevent unauthorized access to information it collects, stores, or transmits. Some reasonable security features include data encryption, secure APIs, and regular software updates or patches. They are unique to the use case or function of the device. Most medical device providers already utilize these security requirements to prioritize data privacy in healthcare.
- Unique Passwords and Security Measures: Connected devices outside local area networks must be assigned a unique preprogrammed password or require new users to create a new password before first-time access to an IoT device.
Rationale
There are a variety of reasons why California adopted SB-237. One of the major ones is the rapid increase in IoT devices over the last decade. These devices constantly collect, use, and store data at home, work, or in public spaces. This creates an increased risk for potential misuse or authorized data access.
Many IoT devices manufactured in the last decade lack strong security measures. Devices have been shipped with default passwords, creating security issues and vulnerabilities, making them an easy target for hackers. The number of high-profile security breaches involving IoT devices showcases how easy it is to access protected data—posing a risk to personal privacy and potential financial damage. One example is the devastating Mirai botnet in 2016, which compromised over 100,000 devices that used a default username and password.
Finally, SB-327 encourages manufacturers of IoT devices to prioritize cybersecurity when designing and producing their devices. This type of responsible manufacturing provides additional security for end-users, protecting data and preventing breaches.
IoT Devices Defined
An IoT device, or “connected device,” is defined by this law as any device, sensor, or other object capable of connecting to the internet. This includes direct or indirect internet connections with an I.P. address or Bluetooth address.
Examples of IoT devices include innovative home accessories like smart thermostats or intelligent home security systems. Because these devices connect via wifi to the Internet and sync data to the cloud, they fall under the umbrella of “Internet of Things” devices. Another example is wearable health devices, like Fitbit wristbands or Apple watches, that monitor and sync your health data to the cloud.
Who Must Comply with SB-327?
The main parties required to comply with SB-327 are IoT device manufacturers that sell in California. This includes the device manufacturer and other contracted businesses or individuals. Companies that design and produce devices and brands that sell white-label IoT devices are also required to comply with SB-327.
SB-327 does not apply to any third party that connects to or offers services that use IoT devices since they are not manufacturers. Additionally, suppose a party only provides a platform for selling IoT devices, like electronic stores or online marketplaces, and has no control over the connected devices. In that case, this law does not apply to them.
Penalties for Non-Compliance
SB-327 does not list specific penalties for non-compliance in the bill’s text. Instead, the law empowers attorneys, ranging from California’s Attorney General to local district attorneys, to enforce the provisions of SB-237. This can lead to penalties, although those penalties will depend on the specific nature of the case, the violation, and whether the violation caused any harm.
Additionally, the law does not provide a private right of action for end-users. This means that an individual consumer or a business cannot sue an IoT manufacturer directly for not complying with SB-327.
Impact of SB-327
Since taking effect in January 2020, SB-327 has had a widespread impact across manufacturers and end-users.
IoT Manufacturers
To remain compliant with SB-327, IoT device manufacturers must equip their devices with reasonable security features. While this requirement enhances each device's cybersecurity, it also increases costs and production times for manufacturers. Companies must invest more time and resources to design, implement, and test new security features.
While these secondary effects might seem negative, manufacturers who go above and beyond the minimum requirements set themselves apart from the competition. As the public grows increasingly aware of the increased threat of malware and the need for solid cybersecurity, it becomes a priority when customers choose a product to purchase. A business that values security becomes a better option than one that does the bare minimum.
End-Users
Users of IoT devices also benefit from SB-237. The biggest gain is that their devices are now more secure than ever. Because the law mandates that IoT devices come with reasonable security features, like unique authentication, users can be confident that their devices have measures to prioritize information privacy.
These improved security features mean better protection of end-users’ data. Because IoT devices often collect, store, and share sensitive information, users want to secure their data. SB-237’s IoT cybersecurity features help provide peace of mind that a user’s data is protected from cyberattacks.
With the passing of SB-237 and other recent cybersecurity laws, consumers are increasingly aware of the cybersecurity landscape. This awareness helps users take steps to protect their own data and online presence, both with IoT devices and beyond.
Comparing SB-327 to Existing IoT Security Frameworks
California is the first state in the U.S. to enact a law around IoT devices, but Oregon and the federal government closely followed it with their legislation. Oregon’s IoT Law, House Bill 2395, was passed in 2019 and requires manufacturers to equip IoT devices with reasonable security standards and authentication requirements for first-time users. The IoT Cyber Security Improvement Act, passed in December 2020, is a federal law that sets minimum security standards for any IoT device purchased by the federal government.
Other states often adopt the NIST Cybersecurity Framework, written by the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) in 2014. The NIST Cybersecurity Framework is not specifically about IoT device protection, but the general cybersecurity principles it suggests can be applied to IoT devices. For example, strong authentication for IoT devices is an access control tool that falls under the Protect function of the framework.
There has also been an increase in these types of legislation in other countries worldwide. In the European Union, The General Data Protection Regulation (GDPR) indirectly affects IoT devices by mandating regulations for protecting the personal data of its citizens. Similarly, the E.U. Agency for Cybersecurity (ENISA) has proposed detailed privacy and security standards for IoT devices.
The U.K. government’s “Secure by Design” code of practice for IoT devices ensures that devices are made with suitable security guidelines starting with their design stage. In 2020, a law was proposed to raise the security standards of consumer smart devices according to this code of practice.
The Future of IoT Security and SB-327
The adoption of SB-237 in California showcases how both state and federal governments are starting to notice the need for increased cybersecurity risk management, especially across personal devices.
As we look to the future of IoT security, we expect increased regulation, standardization, and updated privacy laws to address the growing ecosystem of IoT devices and manufacturers. With this increase in devices, we can also predict a greater threat landscape as cybercriminals evolve and identify potential entry points to target protected data.
