California Introduces Security by Design to Connected Devices

By Adi Amsalem and Dan Or-Hof

The California Consumer Privacy Act (CCPA) is not the only California consumer privacy law that takes effect on January 1, 2020.

Alongside the CCPA, the Information Privacy: Connected Devices Act is added to part 4 of the California civil code and imposes information security and privacy requirements, related to connected devices.

Key Considerations

Security by design is a known concept, including in relation to the regulation of connected devices. The new California law puts another emphasis on this important concept. Companies should be minded, during the planning, development, integration and assembly of connected devices, to the need to design their devices adequately from an information security perspective.
Though the new law does not provide consumers with an explicit private right of action, it will be interesting to see if California litigators would find workarounds to file civil court actions under this law.

Background

On January 1, 2020, the California Information Privacy: Connected Devices Act goes into effect. The new law amends and becomes part of the California Civil Code. California will be the first US state to regulate the security of connected devices. The law, together with the CCPA, will add new responsibilities and restrictions on manufacturers regarding privacy and security.

What is the Purpose of this Law?

The law aims to protect consumers from having unauthorized users trying to access their devices that connect to the Internet directly or indirectly and are assigned an IP (Internet Protocol) address or Bluetooth connection, by regulating and improving the standard of connected devices’ security.

Who is Covered by this Law?

The law applies to manufacturers of connected devices from all types, excluding devices that are subject to other federal laws or regulations. The new law also applies to those who contract to have connected devices manufactured.

However, retailers and online marketplaces are exempt from the law, as well as any person whose activities are regulated by HIPAA (the federal Health Insurance Portability and Accountability) or the Confidentiality of Medical Information Act. Accordingly, connected medical devices are out of the new law’s scope.

Further, the law permits law enforcement agencies to gather information about devices from the manufacturers.

What are the Requirements of this Law?

The law, approved by the California governor on September 28, 2018, requires manufacturers that sell or offer to sell their products in California (regardless where they are made), to add “reasonable security features” to their connected devices.

Another requirement relates to authentication. The new law sets password requirements for using any connected devices that are authenticated remotely. Two security features that the new law considers as “reasonable” are:

a) Manufacturers need to make sure that each device has a unique password;
b) The first use requires users to create a new password.

Accordingly, the law provides very little guidance on ‘security by design’ of connected devices. Apart from the specific requirements in relation to passwords, manufacturers of connected devices are left with a vague obligation to secure the devices ‘reasonably’.

Compare it, for example, to the more elaborate ‘secure by design’ guidance by the UK government for manufacturers of consumer IOT devices.

Yet, some argue that the new law is a good start because it requires manufacturers to rethink cybersecurity and forces them to integrate security by design considerations into their products.

Who Enforces the Law?

Who Enforces the Law?

The law does not provide consumers with the right to private action. Although it is a consumer protection law, only the attorney general, city attorneys, county counsels or a district attorney have specific authority to take actions against the violating covered entities.