By Michael Bahar, Frank Nolan and Trevor Satnick, Eversheds Sutherland
Companies impacted by California's SB-327—especially manufacturers and distributors of IoT devices—should work to ensure compliance with the act as soon as possible if regulatory fallout is to be avoided come January 2020.
The California legislature had a big year in 2018. While a great deal of attention has focused on the California Consumer Privacy Act of 2018 (CCPA), a sweeping new privacy law often compared to Europe’s General Data Protection Regulation (GDPR), California also passed a less-publicized, but highly critical, statute that will regulate certain aspects of Internet of Things (IoT or connected) device security.
The IoT law, known as SB-327, should have a significant impact that extends well beyond California’s borders when it goes into effect in January 2020. Companies impacted by SB-327—especially manufacturers and distributors of IoT devices—should work to ensure compliance with the act as soon as possible if regulatory fallout is to be avoided come January 2020.
What does the IoT statute cover?
As “smart” devices, like internet-connected refrigerators, coffee makers and even industrial control systems for the nation’s critical infrastructure, become more prevalent, the opportunity for device hacking and improper use becomes more widespread and potentially more devastating. For example, the Mirai botnet, which took down a large swath of the internet in 2016, gained control of poorly protected IoT devices and used them to carry out one of the largest Distributed Denial of Service (DDoS) attacks on record.
On a more personal level, the proliferation of integrated cameras and sensors, often with easily hackable manufacturer default passwords, provides hackers with a ready means to peer into, if not break into, homes. With SB-327, California seeks to address these and related security concerns head-on.
What requirements does the IoT statute impose?
The primary way in which SB-327 will attempt to address IoT security risks is by directly imposing security requirements on the device manufacturers themselves. In contrast, regulations like the GDPR, New York’s Department of Financial Services Cybersecurity Regulation (and even, implicitly, the CCPA), only call for third-party security reviews. Specifically, SB-327 will require companies offering IoT devices for sale in California to equip their products with “reasonable security features.” The obvious question then becomes, what does “reasonable” actually mean?
Unfortunately, “reasonable” features are not specifically defined in this context. Instead, SB-327 uses a principles-based approach, encompassing security features that are:
- Appropriate to the nature and function of the device;
- Appropriate to the information it may collect, contain or transmit; and
- Designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification or disclosure.
This approach will require manufacturers of connected devices to continuously assess the risks attendant with these products, and incorporate security features commensurate with those risks, preferably (and most cost effectively) at the design phase. Manufacturers must also be prepared to document their risk-based decisions in the event that their reasonableness decisions are challenged.
In addition to the principles set forth above, SB-327 also provides certain reasonableness floors. For example, any IoT device that can be authenticated outside a local area network (LAN) must either come with authentication unique to that device, or require the user to “generate a new means of authentication before access is granted to the device for the first time.” A connection outside a LAN usually refers to the ability to access the functions of a device from anywhere with an internet connection, as opposed to a limited connection available only when connected to same network as the device in question. This is similar to the difference between an intercom system, accessible only from within the building it is located in, and a landline telephone network, where any line is accessible so long as one is connected and dials the appropriate number.
Looking elsewhere, including how other regulators approach risks associated with IoT devices, can also help inform what is considered “reasonable.” In fact, reasonableness standards around IoT device security under California law will likely come to mirror those developed around other products, services and systems that are vulnerable to a cyberattack. For example, regulators across industries are increasingly urging multi-factor authentication security systems in other products and services, instead of just usernames and passwords. In addition, the National Institute of Standards and Technology is currently examining ways it can standardize encryption methodologies for these devices, and regulators will likely consider those standards when they are released. Another example is the Food and Drug Administration (FDA), which recently released its “Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook” as an increasing number of medical devices become part of the IoT. The report provides a number of preventative actions, many of which could also come to represent reasonableness across industries. For example, for each medical device, the FDA advises a “Hazard Vulnerability Analysis” to better understand and potentially address the effects an attack on that device could have. The guide goes further and provides particular examples of mitigation strategies, like isolating legacy devices that cannot be easily secured and connecting those devices to their own protected network.
Other sources of insight into the likely meaning of reasonableness include the Department of Homeland Security’s “Strategic Principles for Securing the Internet of Things” and the Federal Communications Commission’s discussion of IoT devices in its “Cybersecurity Risk Reduction” white paper.
How will the IoT law be enforced?
Fortunately, SB-327 does not provide a private right of action, and the law will be left to the California Attorney General and other state attorneys to enforce. On the other hand, to the extent these connected devices violate—or contribute to violations of—the privacy of its users, or are subject to third-party breaches, the CCPA can provide consumers with the ability to bring a civil complaint.
The CCPA may apply in other ways, too. For example, California residents have the right under the CCPA to request deletion of personal information collected. Section 1798.140(o)(H) of the CCPA includes “[a]udio, electronic, visual, thermal, olfactory, or similar information” under the definition of personal information, which directly implicates a number of IoT devices.
As is typical of the new wave of cyber and privacy regulations, there is no explicit grandfathering of legacy devices under SB-327, meaning that California could take the position that retrofitting is required to achieve compliance with the statute. Although it is unlikely that California will take that position, it does raise the question of whether IoT devices should, going forward, allow for remote security updates to maintain the requisite level of “reasonable security features” under the law. In addition, companies may want to consider how early in their production cycles they need to implement changes to make sure compliant devices are entering the supply chain no later than the effective date.
Conclusion
Ultimately, as IoT devices proliferate throughout supply chains and our homes, the benefits in efficiency and convenience they offer will come with increased cyber and privacy risks. California, in passing SB-327, is the first state to anticipate and attempt to prevent against those kinds of vulnerabilities, but it will likely not be the last state to do so. Companies that manufacture and distribute IoT devices will be required to comply with this and other laws, and sufficient security features will need to be put in place. More importantly, however, these same security features can prevent against breaches and hacks, and the resulting regulatory enforcement actions and litigation.
Although SB-327 is not scheduled to go into effect until January 2020, now is the time to plan and come into compliance with the law. This is particularly true for manufacturers, which will need plenty of lead time to design and implement the necessary security features.
Michael Bahar is a partner in the Washington DC office of Eversheds Sutherland where he co-leads the firm’s global cybersecurity and privacy practice and is a member of the firm’s litigation practice. Frank Nolan serves as counsel in the New York office of Eversheds Sutherland. He defends class action lawsuits and complex business litigation matters in federal and state courts throughout the country. Trevor Satnick is a staff attorney in the New York office of Eversheds Sutherland where he focuses on the full range of data issues, including data privacy and security, cyber risk and cyber breach responses, e-discovery and information governance.
No comments:
Post a Comment