Sunday, May 25, 2025

Security Boulevard Logo

Security Boulevard

The Home of the Security Bloggers Network

Community Chats Webinars Library
  • Home
    • Cybersecurity News
    • Features
    • Industry Spotlight
    • News Releases
  • Security Creators Network
    • Latest Posts
    • Syndicate Your Blog
    • Write for Security Boulevard
  • Webinars
    • Upcoming Webinars
    • Calendar View
    • On-Demand Webinars
  • Events
    • Upcoming Events
    • On-Demand Events
  • Sponsored Content
  • Chat
    • Security Boulevard Chat
    • Marketing InSecurity Podcast
    • Techstrong.tv Podcast
    • TechstrongTV - Twitch
  • Library
  • Related Sites
    • Techstrong Group
    • Cloud Native Now
    • DevOps.com
    • Security Boulevard
    • Techstrong Research
    • Techstrong TV
    • Techstrong.tv Podcast
    • Techstrong.tv - Twitch
    • Devops Chat
    • DevOps Dozen
    • DevOps TV
  • Media Kit
  • About
  • Sponsor

  • Analytics
  • AppSec
  • CISO
  • Cloud
  • DevOps
  • GRC
  • Identity
  • Incident Response
  • IoT / ICS
  • Threats / Breaches
  • More
    • Blockchain / Digital Currencies
    • Careers
    • Cyberlaw
    • Mobile
    • Social Engineering
  • Humor
Governance, Risk & Compliance IoT & ICS Security Security Bloggers Network 

Home » Cybersecurity » Governance, Risk & Compliance » California IoT Security Law: A Nearsighted, Toothless Guard Dog or a Wolf in Sheep’s Clothing?

SBN

California IoT Security Law: A Nearsighted, Toothless Guard Dog or a Wolf in Sheep’s Clothing?

by Amy Grant on December 3, 2018

With three new sections added to the California Civil Code, California became the first U.S. state with a cybersecurity law specifically for internet-connected devices on September 28, 2018. The new Security of Connected Devices law will take effect on January 1, 2020.

The Basics

The new law requires manufacturers of connected devices to equip the devices with reasonable security features that are:

Techstrong Gang Youtube
AWS Hub
  1. appropriate to the nature and function of the device;
  2. appropriate to the information it may collect, contain or transmit; and
  3. Designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification or disclosure.
    (Cal. Civ. Code §1798.91.04(a))

A connected device is any device capable of connecting to the Internet, directly or indirectly that is assigned an Internet Protocol address or Bluetooth address (§1798.91.05(b))

Manufacturers include anyone who manufactures (or contracts with a third party to manufacture) connected devices that are sold or offered for sale in California (§1798.91.05(c)).

The law has a number of exceptions and carveouts, including the following:

  • Device manufacturers are not responsible for unaffiliated third-party software or applications that a user chooses to add to a connected device (§1798.91.06(a)); however, unaffiliated is not defined. If a manufacturer has a third-party compatibility certification program like the Amazon Connected Device Certification program, is the certified third-party software or application still unaffiliated?
  • The law does not require importers or physical resellers (§1798.91.05(c)) or virtual resellers (§1798.91.06(b)) to review devices for compliance or to enforce compliance.
  • The law does not apply to devices subject to federal security regulations or to entities subject to HIPAA or the California Confidentiality of Medical Information Act (§§1798.91.06(d) and (h)).

Nearsighted?

Robert Graham of Errata Security argues that the law reflects a superficial (Read more...)

*** This is a Security Bloggers Network syndicated blog from The State of Security authored by Amy Grant. Read the original post at: https://www.tripwire.com/state-of-security/security-data-protection/iot/california-iot-security-law/

December 3, 2018December 4, 2018 Amy Grant California, Compliance, Featured Articles, HIPAA, Internet of things, iot
  • ← Decking the Halls for Holiday Traditions
  • Read All About It: The Breaches That Won’t Make the Headlines →

Techstrong TV

Click full-screen to enable volume control
Watch latest episodes and shows

Tech Field Day Experience at Qlik Connect 2025

Upcoming Webinars

Software Supply Chain Security: Navigating NIST, CRA, and FDA Regulations

Podcast

Listen to all of our podcasts

Press Releases

GoPlus's Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

C2A Security’s EVSec Risk Management and Automation Platform Gains Traction in Automotive Industry as Companies Seek to Efficiently Meet Regulatory Requirements

C2A Security’s EVSec Risk Management and Automation Platform Gains Traction in Automotive Industry as Companies Seek to Efficiently Meet Regulatory Requirements

Zama Raises $73M in Series A Lead by Multicoin Capital and Protocol Labs to Commercialize Fully Homomorphic Encryption

Zama Raises $73M in Series A Lead by Multicoin Capital and Protocol Labs to Commercialize Fully Homomorphic Encryption

RSM US Deploys Stellar Cyber Open XDR Platform to Secure Clients

RSM US Deploys Stellar Cyber Open XDR Platform to Secure Clients

ThreatHunter.ai Halts Hundreds of Attacks in the past 48 hours: Combating Ransomware and Nation-State Cyber Threats Head-On

ThreatHunter.ai Halts Hundreds of Attacks in the past 48 hours: Combating Ransomware and Nation-State Cyber Threats Head-On

Subscribe to our Newsletters

ThreatLocker

Most Read on the Boulevard

Signal Gives Microsoft a Clear Signal: Do NOT Recall This
Strategic Defense Innovation: Israel and South Korea’s Technological Partnership 
Survey: Too Much Time Being Spent on Managing Cybersecurity Tools
Law Enforcement, Microsoft Disrupt Operations of Popular Lumma Stealer
U.S. Authorities Seize DanaBot Malware Operation, Indict 16
Malicious attack method on hosted ML models now targets PyPI
Qatar National Bank Breach Explained: How the Attack Happened and What’s Next
Cyber Heads Up: “BadSuccessor”—A Critical Active Directory Privilege Escalation Vulnerability in Windows Server 2025
The OWASP LLM Top 10 and Sonatype: Data and model poisoning
10 Proven Growth Strategies for B2B SaaS: Lessons from Business Classics & Applications for AI Startups

Industry Spotlight

Signal Gives Microsoft a Clear Signal: Do NOT Recall This
Application Security Cyberlaw Cybersecurity Data Privacy Endpoint Featured Governance, Risk & Compliance Humor Incident Response Industry Spotlight Most Read This Week News Popular Post Security Awareness Security Boulevard (Original) Social - Facebook Social - LinkedIn Social - X Spotlight Threats & Breaches Vulnerabilities 

Signal Gives Microsoft a Clear Signal: Do NOT Recall This

May 22, 2025 Richi Jennings | 3 days ago 0
Coinbase Says Breach May Cost $400 Million, Issues $20 Million Bounty
Cloud Security Cybersecurity Data Privacy Data Security Featured Identity & Access Industry Spotlight Network Security News Security Boulevard (Original) Social - Facebook Social - LinkedIn Social - X Spotlight Threats & Breaches 

Coinbase Says Breach May Cost $400 Million, Issues $20 Million Bounty

May 16, 2025 Jeffrey Burt | May 16 0
Warning to US Retail: ‘Scattered Spider’ Targets YOU (with DragonForce Ransomware)
Analytics & Intelligence Cloud Security Cybersecurity Data Privacy Data Security DevOps Endpoint Featured Governance, Risk & Compliance Humor Identity & Access Incident Response Industry Spotlight Malware Mobile Security Most Read This Week Network Security News Popular Post Security Awareness Security Boulevard (Original) Social - Facebook Social - LinkedIn Social - X Social Engineering Spotlight Threat Intelligence Threats & Breaches Vulnerabilities 

Warning to US Retail: ‘Scattered Spider’ Targets YOU (with DragonForce Ransomware)

May 15, 2025 Richi Jennings | May 15 0

Top Stories

U.S. Authorities Seize DanaBot Malware Operation, Indict 16
Cloud Security Cybersecurity Data Privacy Data Security Endpoint Featured Identity & Access Malware Network Security News Security Boulevard (Original) Spotlight Threats & Breaches 

U.S. Authorities Seize DanaBot Malware Operation, Indict 16

May 23, 2025 Jeffrey Burt | 2 days ago 0
Survey Surfaces Limited Amount of Post Quantum Cryptography Progress
Cybersecurity Featured News Security Boulevard (Original) Social - Facebook Social - LinkedIn Social - X Spotlight 

Survey Surfaces Limited Amount of Post Quantum Cryptography Progress

May 23, 2025 Michael Vizard | 2 days ago 0
Law Enforcement, Microsoft Disrupt Operations of Popular Lumma Stealer
Cloud Security Cybersecurity Data Privacy Data Security Featured Identity & Access Malware Mobile Security Network Security News Security Boulevard (Original) Social - Facebook Social - LinkedIn Social - X Social Engineering Spotlight Threat Intelligence 

Law Enforcement, Microsoft Disrupt Operations of Popular Lumma Stealer

May 22, 2025 Jeffrey Burt | 3 days ago 0

Security Humor

Randall Munroe’s XKCD ‘Baker's Units’

Randall Munroe’s XKCD ‘Baker’s Units’

Download Free eBook

The State of Cloud Native Security 2020

Security Boulevard Logo White

DMCA

Join the Community

  • Add your blog to Security Creators Network
  • Write for Security Boulevard
  • Bloggers Meetup and Awards
  • Ask a Question
  • Email: [email protected]

Useful Links

  • About
  • Media Kit
  • Sponsor Info
  • Copyright
  • TOS
  • DMCA Compliance Statement
  • Privacy Policy

Related Sites

  • Techstrong Group
  • Cloud Native Now
  • DevOps.com
  • Digital CxO
  • Techstrong Research
  • Techstrong TV
  • Techstrong.tv Podcast
  • DevOps Chat
  • DevOps Dozen
  • DevOps TV
Powered by Techstrong Group
Copyright © 2025 Techstrong Group Inc. All rights reserved.
×

Security in AI

Step 1 of 7

14%
How would you best describe your organization's current stage of securing the use of generative AI in your applications?(Required)
Have you implemented, or are you planning to implement, zero trust security for the AI your organization uses or develops?(Required)
What are the three biggest challenges your organization faces when integrating generative AI into applications or workflows? (Select up to three)(Required)
How does your organization secure proprietary information used in AI training, tuning, or retrieval-augmented generation (RAG)? (Select all that apply)(Required)
Which of the following kinds of tools are you currently using to secure your organization’s use of generative AI? (select all that apply)(Required)
How valuable do you think it would it be to have a solution that classifies and quantifies risks associated with generative AI tools?(Required)
What are, or do you think would be, the most important reasons for implementing generative AI security measures? (Select up to three)(Required)

×