The law signed by Gov. Jerry Brown requires IoT device manufacturers to ensure their devices have “reasonable” security features.
California governor Jerry Brown has signed two new bills — Assembly Bill 1906 and Senate Bill 327 — that will comprise the state’s new IoT law. The the IoT industry accountable for security without blocking innovation or introducing unwieldy regulations.
The law requires manufacturers to equip IoT devices with reasonable security features that will protect both the device and the information it collects and transmits from “unauthorized access, destruction, use, modification or disclosure.”
See also: IoT security flaws exposed in Mirai botnet attack
The new law —which defines IoT devices as those with an IP or bluetooth address that enables an internet connection — also specifies that reasonable security includes:
- An authentication process that doesn’t rely on a local network
- A unique passwords for each device
- The requirement that users must create new credentials before gaining access
Several industry groups including the Security Industry Association, National Electrical Manufacturers Association (NEMA), and California Manufacturers and Technology Association (CMTA) oppose the new law. They believe that the definition of “reasonable security features” lacks clarity and includes a loophole to avoid compliance.
“We recommend an approach that would ensure that all connected devices are compliant and secure, no matter where they are produced. These two innovation-stifling measures not only fail to protect consumers but will drive away California manufacturing investment,” the CMTA said.
Both bills become law on January 1, 2020.