Look to UL to help stay one step ahead of the changing IoT landscape
In September 2018, California Governor Jerry Brown signed Senate Bill 327 and Assembly Bill 1906, marking first-of-their-kind bills of which manufacturers of Internet of Things (IoT) devices need to be aware. The bills, set to take effect January 1, 2020, expressly govern cybersecurity measures built into “smart” devices. With this is mind, and the deadline only 14 months away, retailers should begin speaking with manufacturers about plans for compliance with the new law and the importance of demonstrating this compliance through a third party.
The bills cover all connected devices – defined as “any device, or other physical object that is capable of connecting to the Internet, directly or indirectly, and that is assigned an Internet Protocol address or Bluetooth address” – and any manufacturer who produces these items for sale in California. With California being the 5th largest economy in the world, this likely covers most manufacturers.
In short, Senate Bill 327 requires that connected devices have a “reasonable security feature or features” to protect information, but the terms “information” and “reasonable” are left undefined in the bill. As such, it is likely that the statue will be broadly interpreted, and manufacturers should act by assigning a unique password to each device or, at the very least, require that the device prompts users to create unique passwords when it is set up for the first time. Assembly Bill 1906 requires a manufacturer of a connected device, as those terms are defined, to equip the device with a reasonable security feature or features that are appropriate to the nature and function of the device, appropriate to the information it may collect, contain, or transmit, and designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure, as specified.
Once again, the breadth of this bill, and its scope to cover a range of security measures across different industries and market segments, means that manufacturers should seek advice on how best to interpret the bill to ensure the security of their customers and avoid potential non-compliance. Some of the law’s requirements appear to be enhancements to prior state or national laws, and as noted above it is likely that this new California bill will eventually have national, and even global, impact.
For more information, please contact Abel.Torres@ul.com.