The law signed by Gov. Jerry Brown requires IoT device manufacturers to ensure their devices have “reasonable” security features.
California governor Jerry Brown has signed two new bills that will make up the state’s new IoT law. Assembly Bill 1906 and Senate Bill 327, introduced by state assemblywoman Jacqui Irwin and state senator Hannah-Beth Jackson respectively. The bills are designed to hold the IoT industry accountable for security without creating obstacles to innovation or unwieldy regulations.
The law requires IoT device manufacturers to equip them with reasonable security features that will protect both the device and the information it collects and transmit from “unauthorized access, destruction, use, modification or disclosure.”
“This bill basically directs those manufacturers to equip their devices with reasonable security features,” Senator Jackson said, adding she thinks the legislation is “the first of its kind” calling on companies to take responsibility for considering the security aspects of their devices as they’re developed and produced.”
The new law also specified that reasonable security will include an authentication process that doesn’t rely on a local network, unique passwords for each device and requiring users to create new credentials before gaining access. It defines IoT devices as any device with an IP or Bluetooth address that can connect to the internet.
Several industry groups including the Security Industry Association, the National Electrical Manufacturers Association (NEMA) and the California Manufacturers and Technology Association (CMTA) oppose the new law, saying what defines “reasonable security features” is not clear and gives imported devices a loophole to avoid compliance.
“We recommend an approach that would ensure that all connected devices are compliant and secure, no matter where they are produced. These two innovation-stifling measures not only fail to protect consumers but will drive away California manufacturing investment,” the CMTA said.
Both bills will become law on Jan. 1, 2020.