California IoT Bill: First State Law on Cybersecurity

Understanding California’s IoT Cybersecurity Legislation

In late August, a crucial step in California’s cybersecurity landscape unfolded with the passage of state legislation concerning the Internet of Things (IoT). This bill, currently awaiting California Senator Jerry Brown’s signature, is poised to make California the pioneering state in enacting IoT-related laws, forging ahead of federal initiatives aimed at similar concerns.

SB-327: Safeguarding Connected Devices

The bill, known as SB-327 in the California Senate and Stomach muscle 1906 in the California Assembly, aims to modernize existing state laws governing the disposal of customer records containing sensitive information. It mandates businesses to take specific steps to either destroy such records or render the data indecipherable when they’re no longer required.

Strengthening Security Measures

The proposed legislation establishes a new section within California Common Code, focusing on the Security of Connected Devices. Manufacturers of connected devices would be required to equip these devices with appropriate security features, tailored to safeguard both the device and the information it handles from unauthorized access. Compliance verification and legal enforcement would involve the oversight of regulatory bodies and may necessitate the expertise of an Intellectual Property Lawyer to ensure adherence to patent and copyright laws while implementing these security measures.

Scope and Exemptions

However, the bill doesn’t extend its mandates to third-party software or applications added by users to a device, nor does it limit users’ ability to modify device software or firmware. Additionally, devices subject to federal security regulations or law enforcement-authorised access aren’t bound by this legislation.

Contrasting Federal Efforts

California’s state-level progress stands in contrast to federal bills, such as H.R.1324 (the Anchoring IoT Act) and S.1691 (the IoT Cybersecurity Improvement Act). Despite the introduction of these bills at the federal level, progress has stalled in committees.

Federal Initiatives’ Current Status

H.R.1324, introduced by Rep. Jerry McNerney, aims to establish cybersecurity standards for radio frequency equipment under the FCC but remains stagnant in the Subcommittee on Communications and Technology. Similarly, S.1691, introduced by Sen. Mark Warner, seeks to set minimum cybersecurity standards for government-purchased IoT devices but has also stalled in progress since its introduction.

California’s proactive stance in passing SB-327 underscores its commitment to IoT cybersecurity, setting a significant precedent at the state level in addressing these crucial technological concerns.