California Establishes New Cybersecurity Standards for IoT Devices
California has signed into law SB-327, which establishes new cybersecurity standards for devices capable of connecting (directly or indirectly) to the internet and that have a designated IP or Bluetooth address. By some estimates, nearly 12 billion of these internet-connected IoT units are already in use, from smart appliances to wearables, and together comprise what is commonly referred to as the “Internet of Things” (IoT).
The new law, effective January 1, 2020, applies to manufacturers of IoT devices—or to businesses who outsource the manufacturing of IoT devices—that are sold or offered for sale in California. Specifically, it requires covered parties to equip IoT devices with reasonable security that is “(1) appropriate for the nature and function of the device, (2) appropriate to the information it may collect, contain, transmit, and (3) designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.”
Device manufacturers will not, however, have to satisfy these new security requirements in all situations. The legislation does provide for certain exceptions, which we discuss in greater detail in a recent client advisory. For more information, read our recent client advisory, Adding an “S” to IoT: New California Law Requires IoT Security,or contact Doug Gastright, Melissa Kern, Jane Hils Shea, or any member of Frost Brown Todd’s technology industry team.
Ask the Blogger
Do you have a topic that you would like discussed in a future blog article? Please let us know. If you have a confidential question regarding a blog article, please feel free to contact the article's author directly, or let us know if you would like for someone to contact you directly.
Jane Hils Shea has lead FBT’s Privacy and Information Security Practice Area since its creation in 2001 and is a Certified Information Privacy Professional (CIPP-US).