California demands ‘reasonable security features’ in new IoT bills

California’s Senate passed legislation that requires IoT device manufacturers to incorporate security in the devices they release on the market, to ensure user privacy and online safety. If manufacturers want to sell their gadgets in the Golden State, they might have to start revising all products to ensure they are compliant as of January 1, 2020, writes Blomberg Law.

The law addresses devices “that can connect directly or indirectly to the internet and are assigned internet protocol or Bluetooth addresses,” including Amazon Echo and Google Home. Devices under federal standards, such as medical devices, are not affected.

Manufacturers must “equip the device with a reasonable security feature or features that are appropriate to the nature and function of the device,  appropriate to the information it may collect, contain, or transmit, and designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure, as specified.”

Gov. Jerry Brown has to sign the two identical bills incorporating the requirements by September 30, otherwise the law won’t take effect.

One problem has already been raised: manufacturers claim the law leaves room for interpretation and is vague. Also, the law doesn’t address connected devices produced outside the US and imported. According to one of the authors, Sen. Hannah-Beth Jackson (D), the two bills are vague on purpose, expecting manufacturers to decide for themselves what security measures to take and how to implement “reasonable security features.”

Custom Electronic Design & Installation Association, Entertainment Software Association and National Electrical Manufacturers Association have already argued against the IoT bills. They are supported in their actions by a number of organizations, including the Consumer Federation of America, Electronic Frontier Foundation and Privacy Rights Clearinghouse.