California passes cybersecurity law for connected devices, receives mixed feedback
It’s official: California is the first US state to regulate IoT security after Governor Jerry Brown signed the bill into law. The law, which takes effect on Jan. 1, 2020, was first introduced in 2017 and has been discussed ever since. It addresses weak security and information privacy by demanding manufacturers provide ‘reasonable security features’ for connected devices released on the market.
“This bill, beginning on January 1, 2020, would require a manufacturer of a connected device, as those terms are defined, to equip the device with a reasonable security feature or features that are appropriate to the nature and function of the device, appropriate to the information it may collect, contain, or transmit, and designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure, as specified,” states the official document.
“The lack of basic security features on internet connected devices undermines the privacy and security of California’s consumers, and allows hackers to turn everyday consumer electronics against us,” said Sen. Hannah-Beth Jackson, who introduced the bill. “SB 327 ensures that technology serves the people of California, and that security is not an afterthought but rather a key component of the design process.”
This is not the first attempt to regulate IoT cybersecurity: in the past other bills were presented to Congress but didn’t make it to the final stage.
The new law will have a significant impact since California is the first state in the US to go down this route to protect consumers and demand security improvements. It in fact received mixed feedback. While some consider it a first step to regulate and improve security for connected devices, there were also critics claiming the law was rushed and vague, as it leaves room for interpretation.
The law was signed together with the already criticized net neutrality law – which the Trump administration is attempting to block by suing California.California connected device regulation IoT cybersecurity law