California is pressing forward with Internet of Things (IoT) legislation intended to help protect consumer privacy and safety from potential hacking of connected devices (that is, devices capable of connecting to the Internet). The legislation requires manufacturers of connected devices to equip those devices with reasonable security features appropriate to the nature of the device. The goal of the legislation is to protect consumers, but remain sufficiently flexible to accommodate disparate products and industries. Manufacturers that do not comply will face investigation and possible fines by California regulators.
Over the past several years, manufacturers have introduced connected versions of previously standalone devices such as thermostats, baby monitors, connected cars, smart watches and smart televisions, and fitness bands. Connecting a device to the Internet enables benefits such as better or more responsive service, real-time information, and increased consumer control.
However, in addition to these advantages, these devices’ direct connection to the Internet also exposes them to a wide variety of cyberattacks and may permit the compromise of potentially sensitive information stored on them. As the California Senate Floor Analysis explained in discussing the proposed legislation, connected devices collect “immense amount of private information . . . vulnerable to breaches” and may allow strangers to “conduct surreptitious surveillance on homes or to communicate through devices directly.”1 Data security issues, such as cyberattacks or reliability concerns, may also interfere in the functioning of a device, which may have harmful consequences where the device manages a critical process, such as the operation of a vehicle.2
Legislation potentially applies to manufacturers around the world. Like most privacy laws, because the legislation protects California consumers, the location of the device manufacturer is irrelevant. Therefore, the legislation could have extra-jurisdictional application to manufacturers around the world if they sell connected devices in California.
Legislation’s IoT data security requirements. Generally, the legislation requires manufacturers to implement security features for connected devices that must be:
- Appropriate to the nature and function of the device
- Appropriate to the information it may collect, contain, or transmit, and
- Designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.
The legislation is not limited to certain devices or types of information. Instead, the legislation’s emphasis on the appropriateness of the data security features is based on the facts and circumstances, comparable to the context-based approach to “reasonable data security” required by Federal Trade Commission (FTC) guidance and consent orders and by state consumer protection laws.3 For example, the legislation appears to adhere to the FTC’s recommendation that legislatures adopt “strong, flexible, and technology-neutral legislation” to enforce data security.4 Likewise, as the FTC IoT Report noted, “[r]easonable and appropriate security practices are critical to addressing the problem of data breaches and protecting consumers from identity theft and other harms.”5
Nevertheless, the California legislature thought it worth specifically targeting one type of data security measure. The legislation imposes a specific requirement that connected devices capable of authentication outside a local area network must have a preprogrammed password that is unique to each device or the device must contain a security feature that requires a user to generate a new password or authentication mechanism before its use.
Exceptions to the legislation’s data security requirements. The legislation contains several limitations:
- The bill will not impose any duty upon the manufacturer of a connected device related to unaffiliated third-party software or applications that a user chooses to add to a connected device. This exception appears consistent with the FTC’s recent settlement with BLU, which held the manufacturing brand responsible for the data security measures implemented by the unaffiliated software vendors that BLU (and not the user) selected for installation on the device.
- App store providers are not covered by the legislation.
- Manufacturers can still permit consumers to exercise full control over the devices. For example, manufacturers may permit consumers to choose whether to modify the software or firmware running on the device.
- The legislation does not apply to connected devices already subject to security requirements under federal law, regulations, or guidance promulgated by a federal agency pursuant to its regulatory enforcement authority. Presumably, this would exclude medical devices covered by FDA regulations and/or guidance.6
- A covered entity or health provider subject to the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA) (Public Law 104-191) or California’s Confidentiality of Medical Information Act is not subject to the legislation with respect to the activity already regulated by those health privacy and security laws.
Enforcement. Finally, the legislation vests enforcement authority solely with the California Attorney General’s Office, a city attorney, a country counsel, or a district attorney. The legislation does not provide for a private right of action.
Frequency of and risks from data breaches
Proponents of the bill argue that this legislation both supports privacy rights and addresses the safety risks of potentially hackable connected devices. As discussed above, the California legislature concluded that many of these devices collect a vast amount of personal and intimate information and are used to manage critical processes. In addition, as noted by the Privacy Rights Clearinghouse, a proponent of the legislation, consumers are often unaware of the data being collected by their devices and the related safety risks. Therefore, consumers commonly do not take steps to protect the security of the information on the connected devices, which may leave them at risk. Believing that California consumers could not fend for themselves without legislative action, California created an express requirement for manufacturers to implement reasonable security measures.
The detractors’ primary argument against the legislation is that existing law has already sufficiently regulated this area. The Entertainment Software Association submitted that this Bill’s requirements are “not necessary to provide protections to California residents.” It contended that “[e]xisting law already requires manufacturers to implement reasonable privacy protections appropriate to the nature of the information they collect.” Historically, the FTC investigates companies when it believes they have failed to implement reasonable security controls under its unfairness or deception authorities in section 5 of the FTC Act.7 Many states, including California, also have laws that expressly require companies to implement reasonable data security (although these typically only apply to companies that themselves collect “personal information”).8
The legislation leaves open the ongoing question of how the law should treat connected devices that have parts and software manufactured and developed by multiple parties. “Manufacturer” means “the person who manufactures, or contracts with another person to manufacture on the person’s behalf, connected devices that are sold or offered for sale in California.” This definition may mean that the brand selling the product is responsible for compliance. It could also be interpreted to cover nearly any company involved in the manufacturing process. Fortunately for manufacturers, the legislation does not include a private right of action, so manufacturers would not be subject to class action litigation while courts clarify this ambiguity.
Governor Jerry Brown signed the IoT legislation on September 28th. The legislation will take effect starting on January 1, 2020.
Implications for IoT products generally
Generally, implementing robust data security and privacy controls for consumer products requires an significant planning, design, and integration that remains flexible and takes into account security as a material product feature. Companies concerned about complying with the requirements of the new legislation should consider beginning to take the following steps now to improve and document security for their connected device products. Implement and document data security and privacy protections as part of the product development life cycle
- Implement encryption for device storages and for any network connections, particularly those that involve the storage or transmission of sensitive data, including personal information.
- Require users to generate new authentication credentials upon their first use if the device is capable of authenticating outside of a local area network; require secure authentication generally.
- Periodically conduct security evaluations and penetration tests of the connected device and, if possible, provide firmware updates as needed to remediate identified vulnerabilities.
- Verify that supply chain vendors likewise integrate reasonable data security and privacy controls in the components of connected devices that they manufacture.
- In the past, hackers have exploited security weaknesses in IoT product to create Shodan, a searchable index of all unsecured IoT cameras accessible via the Internet, including baby monitors or web cameras located in users’ homes. In another case, hackers specifically infected and commandeered as many as 2.5 million unsecured connected devices across the globe to create a malware botnet known as Mirai that was used to bring down websites such as Twitter or Netflix.
- In analyzing IoT security concerns, legislators made reference to several issues previously raised by consumer class-action cases. Specifically, security researchers demonstrated that children’s dolls storing large quantities of personal data were vulnerable to hacking; researchers were even able to speak directly through the dolls to children. See, e.g., Archer Hayes v. ToyTalk, Inc. 2015 WL 8304161 (Cal. Super. Ct. 2015). Legislators also referenced car hacking cases where automobile manufacturers have been hit with class action litigation because of IoT security vulnerability. Researchers demonstrated the ability to hack into vehicles via their IoT entertainment systems and take over the steering and breaking controls. See e.g. Cahen v. Toyota, 147 F. Supp. 3d. 955, 958 (N.D. Cal. 2015); Flynn v. FCA, No. 15-CV-0855-MJR-DGW, 2018 WL 3303267, at *1 (S.D. Ill. July 5, 2018).
- See, e.g., California Consumer Privacy Act, A.B. 375
- See Federal Trade Commission, Internet of Things: Privacy & Security in a Connected World, at 49 (2015) (the “FTC IoT Report”)
- The FDA requires that medical device manufacturers comply with federal regulations, including quality-system regulations (QSRs), which address all risks, including cybersecurity. Premarket, the FDA recommends identifying potential risks and vulnerabilities during the design of a medical device. Post-market, the FDA recommends that manufacturers perform software updating and maintenance. FDA-regulated manufacturers should communicate before sale whether their devices will receive security updates, how updates are received, and when security support will end. Specifically, the FDA uses its 2014 guidance titled Content of Premarket Submissions for Management of Cybersecurity in Medical Devices on the content of premarket submissions, recently supplemented by its September 6, 2017, guidance titled Design Considerations and Pre-market Submission Recommendations for Interoperable Medical Devices as general principles to assist its review. The FDA also provides post-market guidance via a December 28, 2016, report titled Postmarket Management of Cybersecurity in Medical Devices. Please see our prior client alerts for more expansive discussion of these three FDA guidance documents, published October 25, 2017, October 30, 2017, and January 3, 2018 for more expansive discussion of these three FDA guidance documents.
- In LabMD, Inc. v. FTC, the 11th Circuit vacated the FTC’s order requiring LabMD to implement “reasonable data security” as not sufficiently definite, but left open the possible that the FTC could enjoin a specific act or practice. See 891 F.3d 1286, 1302 (2018). The FTC has also expressed views on the requirement for data security and privacy in connected devices in publications such as the FTC IoT Report discussed above. The FTC has historically pursued enforcement actions against organizations with practices that it finds to be falling short of the baselines outlined in guidance. See, e.g., In the Matter of LabMD Inc., FTC No. 102-3099 (Aug. 28, 2013) (complaint); In the Matter of BJ’s Wholesale Club Inc., FTC No. 042-3160 (Sep. 20, 2005) (complaint).
- Cal Civ. Code § 1798.81.5; Mass. Gen. Laws Ch. 93H § 2(a); Fla. Stat. § 501.171(2). California in particular has undertaken several data security enforcement actions. See, e.g., People v. Uber Technologies, Inc., CGC-18-570124 (Cal. Sup. Ct. Sept. 28, 2018) (Complaint); People v. Lenovo (United States) Inc., BC674647 (Cal. Sup. Ct. Sept. 5, 2017).