EXECUTIVE SUMMARY:
Smart devices make our lives easier. Who wouldn’t enjoy the convenience of using a smartphone to control a thermostat, creating a perfect temperature, just in time for your arrival home?
However, internet-connected devices pose cyber security risks, so California has stepped up to be the first state in the nation to pass an Internet of Things (IoT) cyber security law: Senate Bill 327. SB-327 will go into effect starting January 1st, 2020, and it applies to all smart devices sold in the state.
SB-327 will require manufacturers to strengthen their password security. Companies can no longer set a device’s password to a pre-programmed ‘admin’ or ‘password.’ Each device must come with a unique password or allow the user to generate a strong password. The bill also requires businesses to equip their devices with “a reasonable security feature” to protect the device’s data from unauthorized access, use, or modification.
However, the bill lacks specificity, which is causing confusion. For example, what exactly is meant by “reasonable security?” Dan Pepper, a privacy and data protection partner at law firm BakerHostetler, says “If all you are doing is taking the authentication step and you are not doing anything with updates or patches, encryption, or third-party components, then you are falling short.” Although the law is only concrete with its authentication requirement, there’s hope the law will be updated with more specific requirements in the near future.
The bill should serve as a wake-up call to Congress to address IoT security and other cyber security issues. Our lives are becoming increasingly connected to the internet, and as technology rapidly advances, the security of these devices must not fall behind.
For more on this story, visit Dark Reading.
