California Signs the First IoT Security Bill into Law, and the FTC Submits Comments to the Consumer Product Safety Commission Regarding the IoT

California’s New IoT Law

On September 28, 2018, California Governor Jerry Brown signed into law a cybersecurity bill governing Internet of Things (IoT) devices, the first law of its kind in the nation. SB 327 requires manufacturers of internet-connected, or “smart” devices, to ensure the devices have “reasonable” security features by January 1, 2020.

The law applies to any “device, or other physical object that is capable of connecting to the Internet, directly or indirectly, and that is assigned an Internet Protocol address or Bluetooth address.” This definition is broad and includes not only smart TVs, smart speakers, and other smart home devices, but also computers (laptops and desktops), connected cars, smartphones, smartwatches, and many other modern electronics.

The law does not contemplate further rulemaking, and it is unclear whether revisions to the law will be sought.

Specifically, under the law, a manufacturer of a connected device must equip the device with a reasonable security feature or features that are:

  1. Appropriate to the nature and function of the device;
  2. Appropriate to the information it may collect, contain, or transmit; and
  3. Designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.

If a connected device is designed to be accessed via authentication from outside a local network (i.e., from the internet rather than from a home network), the device is considered to have reasonable security features if it meets one of the following two requirements:

  1. The preprogrammed password is unique to each device manufactured.
  2. The device contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time.

The law provides for no private right of action. The attorney general, a city attorney, a county counsel, or a district attorney have exclusive authority to enforce the new law.

FTC Comment to CPSC

The staff of the Federal Trade Commission’s (FTC) Bureau of Consumer Protection recently submitted a comment to the Consumer Product Safety Commission (CPSC) regarding IoT and consumer product hazards. The staff comment includes guidance for businesses operating in the IoT space as well as recommendations for the CPSC in its consideration of safety and security risks presented by IoT devices.

The staff comment explains “[a] company setting up a program to address security risks on its IoT device should take measures to secure that device from hackers, for both privacy and safety issues.” The staff emphasizes, “[c]ompanies that manufacture and sell IoT devices must take reasonable steps to secure them from unauthorized access.”

The comment notes “there is no ‘one size fits all’ approach to securing IoT devices. The level of reasonable security will depend on many factors, including the magnitude of potential risks, the likelihood of such risks, and the availability of low-cost tools to address the risks.” Nonetheless, the comment offers guidance to IoT companies in three specific areas: “risk assessment; reasonable vendor oversight for devices and other interdependent products; and software updates, product ‘expiration’ dates, and default settings.”

Risk Assessments

According to the staff, a “risk assessment can help identify reasonably foreseeable threats and hazards, and solutions for mitigating against such threats and hazards.” The staff also recommends companies test “authentication techniques and consider whether techniques, such as multi-factor authentication (such as a password and a code sent to a phone) or biometric authentication, are appropriate.” The staff explains the FTC has “recommended that companies consider risks at the point where a service communicates with an IoT device, such as the interface between the device and the cloud,” and that “companies test a product’s security measures before launch.”

Service Providers

With regard to service providers, the comment encourages companies to exercise “due diligence in their selection of service providers, incorporating security standards into their contracts, and taking reasonable steps to verify compliance with those security standards on an ongoing basis.” The staff emphasizes that in multiple cases, the FTC has taken action against companies that “failed reasonably to oversee the security practices of their service providers.”

Oversight, Updating, and Patching

Finally, with regard to software updates and patching, the staff recommends that “companies should take steps to stay abreast of threats identified in the marketplace by, for example, signing up for email updates from trusted sources; checking free databases of vulnerabilities identified by security researchers; and maintaining a channel through which security researchers can reach out about risks.” The staff also recommends that companies should issue updates and patches “for a period of time that is consistent with consumers’ reasonable expectations” but does not provide further guidance regarding the boundaries of those expectations.

Other Pre-Existing FTC Guidance for IoT Companies

The staff comment also points to prior FTC enforcement actions as a source of guidance for IoT companies. As the staff highlights, “in the TRENDnet case, the FTC alleged that the company engaged in unfair and deceptive security practices related to its Internet-connected cameras. The complaint alleged that the company’s failure to reasonably test and review the camera’s software for security problems; failure to encrypt data in storage and transit; and failure to monitor third-party security vulnerability reports led to a breach of private video feeds.” In another case against the technology company ASUS, the FTC “alleged that the company’s failure to reasonably secure its routers led to the unauthorized access of consumers’ home networks.” The comment also points to a staff report from 2015 on the IoT, in which the FTC made several, specific recommendations for security best practices.

Recommendations for the CPSC

Finally, the staff offers recommendations to the CPSC in its consideration of safety and security issues for IoT services. The staff comment recommends that the CPSC “consider how companies might provide consumers with the opportunity to sign up for communications regarding safety notifications and recalls for IoT devices.” Additionally, the staff recommends that “the CPSC should consider requiring manufacturers to publicly set forth the standards to which they adhere. Such disclosures would improve transparency and provide consumers with information to better evaluate the safety and security of their IoT products. The FTC could use its authority under the FTC Act to take action against companies that misrepresent their security practices in their certifications.”