California IoT security law: What it means and why it matters

In September, California Governor Jerry Brown signed into law a new bill aimed at regulating the security of IoT devices, and it’s set to go into effect in a few short months on January 1, 2020.

While the goal of the law is to better address the risks that increased connectivity brings into the workplace, it instead leaves us with more questions than answers. Broad guidance and lack of clarity around what a “reasonable security feature” is make it difficult for organizations responsible for complying with the law. Yes, it’s a great first step to better securing IoT devices, but it ultimately fails at outlining specific instruction.

Below, I explore what’s missing and why we still have some work to do before the law can fully do the job it was intended to.

What the California IoT security law covers

The bill defines a connected device as “any device, or other physical object that is capable of connecting to the Internet, directly or indirectly, and that is assigned an Internet Protocol address or Bluetooth address”. For anyone on the security team attempting to determine whether a device fits within their company’s security policy, this definition could be problematic. Connected devices include anything from computers to thermostats to copy machines and employees’ personal fitness monitors. What’s more, Gartner predicts the number of connected devices will only continue to increase, reaching 20.4 billion by next year, and others predict that number will be closer to 50 billion by 2022.

The fact is, IoT devices will continue to present a high security risk to businesses worldwide, more clarity is needed on which of those devices need more attention over others.

Understanding a “reasonable” security feature

Under the new law, a reasonable security feature is outlined as one that is “appropriate to the nature and function of the device, appropriate to the information it may collect, contain, or transmit, and designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure, as specified.”

Furthermore, Daniel Pepper from the national law firm, BakerHostetler, notes:

“If the device is subject to authentication outside a local area network, then the law clarifies that “reasonable security” means the device should contain a unique preprogrammed password or require a user to generate a new means of authentication prior to initial access being granted. This specificity goes beyond the guidance provided in prior FTC enforcement actions, which have recognized vulnerabilities posed by default settings without deeming reasonable any specific approach to initial password management.”

In other words, better authentication and password management. But under the Calfornia Department of Justice’s California Data Breach Report from February 2016, it defined compliance with the CIS Critical Security Controls as the “floor” for reasonable cybersecurity. Yet the CIS 20 isn’t specific to IoT devices, and what’s more, the application of some of the CIS controls on IoT devices doesn’t make any sense.

As a result, the combination of the previous report from 2016 and this new law will likely lead to additional confusion around things like, what email and web browser protections for IoT devices look like? Or whether security awareness and training programs should be required for operating a smart refrigerator or other smart devices?

California IoT security law: Penalties for noncompliance

Ultimately, the law’s biggest misstep is the fact that it refers to a set of controls that are not meant for IoT device security. The good news for any company worried about noncompliance, however, is that the law prohibits private parties from suing under California law. Enforcement is instead delegated “exclusively to the California Attorney General, city attorneys, county counsels, and district attorneys.”

Additionally, little to no specificity is given to the types of penalties that exist, the maximum penalty, or how officials plan to prove a violation occurred. All in all, it’s going to be difficult to not only penalize organizations for failure to comply, but it’s going to be hard to prove they were in violation in the first place.

As I mentioned at the beginning, this law may be the first of its kind, but I doubt it will be the last. As the risks posed by Internet-connected devices increase, so will regulation around them. So, let’s use the California IoT security law as a lesson for how to improve future guidance and ensure better security.