Data Security Law Blog

California Enacts First-Ever State IoT Security Law

    

California is leading the pack. Once again.

On Friday, Governor Jerry Brown signed into law SB 327, the first- ever state legislation aimed at governing Internet of Things (IoT) devices. 

The new law requires any manufacturer of an Internet-connected or “smart” device to ensure that it has “reasonable” security features to “protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.” While the law does not explicitly define a “reasonable security feature,” it must be suitable for the nature and function of both the device and type of information collected. The law applies to products sold or offered for sale in the State of California.

The law – which goes into effect on January 1, 2020 – does not create a private right of action but vests government lawyers with enforcement authority. 

This first-of-its-kind law addresses the appropriate means of device authentication where a device is capable of connecting to wide-area networks such as a public network. For those devices, the new law requires that the device have a unique preprogrammed password or that the user generate a new means of authentication prior to initial access to the device. This means that generic default credentials for a hacker to guess will no longer cut it.

Although groundbreaking in its entirety, one of the most interesting aspects of the new law is a liability carve-out for manufacturers in the event a user alters the software or firmware running on an IoT-enbabled device. 

This exemption will likely set the tone for private causes of action brought under negligence or strict product liability theories. Under traditional tort law, a manufacturer’s liability for a defect is limited to a tangible product. But manufacturer liability for personal injury resulting from interconnected devices is new ground, where both the tangible device and less tangible technology combine to produce device functionality. Thus, the scope of a manufacturer’s duty in this realm remains unclear and the new law’s recognition that a manufacturer is not liable to the government where the user has modified the software may provide useful guidance in the civil context.

And, in the traditional tort context, a manufacturer can be held liable for reasonably foreseeable misuse of a product by the user, including reasonable modifications made by the user to the product. This is true for interconnected medical devices falling within the scope of the FDA’s non-binding guidance issued in September 2017.  The FDA has seemingly adopted the tort concept of foreseeable misuse in the cases of “reasonably foreseeable misuse, and reasonably foreseeable combinations of events that could result in a hazardous situation.”

The new California law, on the other hand, exempts a reasonably foreseeable consumer alteration as a source of liability. The state legislature’s recognition that a manufacturer should not be held accountable under these circumstances should provide some guidance in determining and limiting a manufacturer’s liability when these sorts of claims arise. 

This new law comes just months after California made waves when it passed a consumer data-privacy law during the summer that’s been called the nation’s toughest, stopping companies from selling personal information without permission from its customers.  See our blogs on the consumer law here and here.