Home Hacking News An Overview of the California IoT Security Law

An Overview of the California IoT Security Law

by Unallocated Author

The California Civil Code has recently been amended to accommodate three additional Sections. These are reportedly added to regulate the security accorded to the Internet of Things Devices (IoT Devices), which have earlier been subject to vulnerabilities.

The legislation however uses the term ‘Connected Device’, in order to mean any devices connected to the internet.

The aforementioned law is likely to be in full force by the 1st Day of January, 2020 and lays down guidelines for the manufacturers to ensure the safety of the personal information of its users.

The Need

With the rapid increase in IoT devices, personal information such as location, recent activities and other personal details of users have become accessible by third parties, who could misuse it.

Such misuse violates the Constitutional Rights of American Citizens, which includes Right to Privacy. Therefore, there was a sheer need for the manufacturers of the Connected Devices, to be regulated, and burdened with the obligation of protecting the personal information of the users.

The Pros

The legislation has a broad framework, which encapsulates all connected devices, except the ones that are covered under Federal Security or HIPAA. According to this legislation, the concerned connected devices need to possess certain “reasonable and appropriate” security features.

According to Section 1798.91.05 (b), the legislation lays down a broad Framework, which considers a connected device having “…means for authentication outside of a local area network…” as reasonably secure. Further, the Section mentions the need for either the pre-programmed password for each of the connected device to be unique, or that the user be allowed to “…generate a new means of authentication…” when the user accesses the device for the very first time.

Although the aforementioned Legislation has set a precedent by taking a step forward and regulating the connected devices, it needs to be further perfected. Apparently, this legislation only regulates US-based manufacturers and affiliated applications. Unfortunately, it oversees the possibility of the manufacturer enabling the device to operate on third-party software, which may be injected with malicious codes. However, since the US Cyber Laws are still evolving, there lies a possibility that certain other legislations might soon come into force and bridge the gaps.

You may also like