Generic placeholder image

California IoT Security Law

Miami - September 28, 2020

The Internet of Things (IoT) is a network of physical objects —“things” (connected/smart devices) — embedded with sensors, software and other technologies to connect and exchange data with other devices/systems via the Internet to provide homogeneous communication and contextual services. Smart devices include for instance phones, watches, TVs, clothing, Bluetooth devices, printers and implants, etc. The term IoT was coined by Kevin Ashton in 1999 in order to promote radio frequency identification (RFID).

In the U.S., the State of California is the first State to regulate IoT specifically. The California IoT Security Law (Stats.2018, c. 886 (S.B.327), § 1) which was added under the Civil Code of California (California Code, Civil Code - CIV § 1798.91.04 available at: https://codes.findlaw.com/ca/civil-code/civ-sect-1798-91-04.html) came into force on January 1, 2020.

The California IoT Security Law requires manufacturers of ‘connected devices’, sold/offered for sale in California, to equip such devices with ‘reasonable security features’:

  • appropriate to the nature and function of the device and to the information it may collect, contain, or transmit;
  • designed to protect the device and information contained therein from unauthorized access, destruction, use, modification, or disclosure.

The California IoT Security Law defines 'manufacturer' as a person who manufactures, or contracts with another person to manufacture on the person’s behalf, connected devices. It defines 'connected device' as any device, or other physical object which is (i) capable of connecting to the Internet directly/indirectly, and (ii) assigned with an IP address.

If a connected device is equipped with a means of authentication outside a local area network, it shall be deemed a “reasonable security feature" if it:

  • ensures that the preprogrammed password is unique to each device; OR
  • requires users to generate a new means of authentication before access is granted to the device for the 1st time.

The California IoT Security Law does not create a private cause of action, (i.e. private parties cannot file a suit against the Manufacturer) since any violation of the IoT Security Law can only be enforced by the California Attorney General, the city attorney, the county counsel, or the district attorney.

Should you need TLPS team's assistance in relation to any aspect of the California IoT Security Law, please contact us !

Dr. Ariel Humphrey