California IoT Security Law: A Nearsighted, Toothless Guard Dog or a Wolf in Sheep’s Clothing?

by Amy Grant on December 3, 2018

With three new sections added to the California Civil Code, California became the first U.S. state with a cybersecurity law specifically for internet-connected devices on September 28, 2018. The new Security of Connected Devices law will take effect on January 1, 2020.

The Basics

The new law requires manufacturers of connected devices to equip the devices with reasonable security features that are:

appropriate to the nature and function of the device;
appropriate to the information it may collect, contain or transmit; and
Designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification or disclosure.
(Cal. Civ. Code §1798.91.04(a))

A connected device is any device capable of connecting to the Internet, directly or indirectly that is assigned an Internet Protocol address or Bluetooth address (§1798.91.05(b))

Manufacturers include anyone who manufactures (or contracts with a third party to manufacture) connected devices that are sold or offered for sale in California (§1798.91.05(c)).

The law has a number of exceptions and carveouts, including the following:

Device manufacturers are not responsible for unaffiliated third-party software or applications that a user chooses to add to a connected device (§1798.91.06(a)); however, unaffiliated is not defined. If a manufacturer has a third-party compatibility certification program like the Amazon Connected Device Certification program, is the certified third-party software or application still unaffiliated?
The law does not require importers or physical resellers (§1798.91.05(c)) or virtual resellers (§1798.91.06(b)) to review devices for compliance or to enforce compliance.
The law does not apply to devices subject to federal security regulations or to entities subject to HIPAA or the California Confidentiality of Medical Information Act (§§1798.91.06(d) and (h)).