California's IoT Security Law: Why It Matters And The Meaning Of 'Reasonable Cybersecurity'

Axonius posted on 21 Nov 2019

Over the last several years, the internet of things (IoT) has not only come to pervade our home life, but our work life as well. A smart thermostat adjusts office temperatures based on changes in the weather, and the vending machine in the hall issues an alert when it needs to be refilled. Yet the increase in comfort and ease does not offset the massive risk these devices still pose to the security of an organization.

California has taken steps to reduce this risk, and on January 1, 2020, the state’s new IoT Security Law will go into effect, which is the first of its kind, not only in California, but in the entire U.S. It mandates that all IoT devices sold in the state must also have “reasonable cybersecurity measures” embedded. Yet the question remains: What is reasonable?

What does the law cover?

Before we answer that question, however, let’s first take a look at what the law covers, which is any connected device, defined as “any device, or other physical object that is capable of connecting to the Internet, directly or indirectly, and that is assigned an Internet Protocol address or Bluetooth address." This is a broad definition that could include everything from computers and copy machines to smart TVs and personal fitness monitors.

That list is only going to grow with time. Anything that can be connected will be connected, and the notion of a “connected device” will soon mean just about everything and anything. For businesses in California, that’s going to make it a lot harder to determine whether the devices they’re using fall within the confines of the law.

What is a reasonable security feature?

According to the law, a reasonable security feature must be “appropriate to the nature and function of the device, appropriate to the information it may collect, contain, or transmit, and designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure, as specified.”

The law is specific about security as it relates to authentication for devices outside a local area network, stating that “the preprogrammed password is unique to each device manufactured” and “the device contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time.”

As you can see, guidance included as part of the law is specific to authentication, and it remains vague regarding other reasonable cybersecurity measures that are necessary beyond password management. However, companies can look to prior guidance for clarity, which defines compliance with the 20 security controls in the CIS Critical Security Controls for Effective Cyber Defense as the "floor" for reasonable cybersecurity and data protection.

The CIS Critical Security Controls are often seen as the gold standard for security defense and include "Inventory and Control of Software Assets," "Email and Web Browser Protections," "Implement a Security Awareness and Training Program," "Application Software Security," and 15 other controls. As you can gather, the “floor” sets a pretty high bar, but it still raises some important questions. What, for instance, are email and web browser protections as it relates to IoT devices? And how would an organization go about implementing security awareness and training programs for a smart refrigerator? Or what red team exercises would a security team conduct on a pellet stove?

What are the penalties for noncompliance?

The short answer: We don’t know. Luckily for organizations worried about noncompliance, the law:

• Does not allow private parties to sue under California law. Instead, enforcement is delegated “exclusively to the California Attorney General, city attorneys, county counsels, and district attorneys.”

• Does not specify what types of penalties officials can seek for violations, what the maximum penalties are or whether officials must prove that actual harm to consumers has occurred before seeking penalties.

Although the idea to require manufacturers to provide reasonable cybersecurity for IoT devices sold in California is noble, the new law lacks clarity surrounding the finer details. Much of the guidance included is written for general security measures not specific to IoT devices, making some of the requirements nearly impossible to comply with. It also provides little to no specificity on the types of penalties that can result from an offense, what the maximum penalties are or if harm to consumers must be proven to seek such undefined penalties.

The law may be the first of its kind, but it certainly won’t be the last. As the adoption of IoT devices in the workplace continues, I anticipate additional states will issue similar guidance with regard to security controls, and there’s plenty of room for improvement. Device manufacturers should take note that there will be more thorough legislation covering device security and should plan ahead to address the spirit of the legislation, even if this bill misses the mark.

Originally Published in Forbes


Recent posts

Identiq Summit Brings Together Global Brands for the First Time to Advance Customer Privacy, Safety and Trust Challenges B

In the middle of the Covid-19 pandemic, Identiq launched its first virtual summit. 17 of the biggest names in payments, retail, ridesharing, online marketplaces, apartment-sharing, gaming and financial services came together to discuss ways of boosting online trust and privacy while battling fraud and increasing safety.

21 Nov 2019
Read more


16 Best Practices For Safely Upgrading Your Company's Tech Systems

"Disruption is often a result of the overreliance on code in the enterprise IT. With code, a solution to every business challenge is heavily reliant on limited IT resources. With no-code platforms, traditionally slow-moving enterprises can finally embrace startup agility while minimizing risks" Tal Daskal, the CEO of EasySend shares with Forbes his insights on the digital transformation revolution.

21 Nov 2019
Read more

Datos health secures $7 million series a financing round

Following Surge of Interest in Remote Care Platform and Success of COVID-19 Solution, Datos to Accelerate Sales, Marketing and Execution of Comprehensive Product Roadmap

21 Nov 2019
Read more

Quick Links

Our Global Network

Vertex Ventures Israel is part of the global Vertex Ventures network of funds.

In addition to Israel, the Vertex Global Network is comprised of affiliates in Silicon Valley, China, Southeast Asia and India. This provides a unique platform for our portfolio companies to realize their full potential by leveraging the combined experience and resources of our extensive network of global partners.


© 2019 by Vertex.

All rights reserved.