Manufacturers of smart microwaves, light bulbs, and other connected devices will face new security requirements in California and Oregon next year.
The two states are the first ones to specifically regulate the security of internet of things devices, with laws taking effect Jan. 1. Other states are likely to follow, privacy and tech attorneys say.
Internet of things security is a growing concern as the number of connected devices increases. The International Data Corporation estimates that 41.6 billion internet of things devices could be operating by 2025.
“Some companies are rushing to get devices out into the wild and they haven’t thought about security, and it’s created this massive risk that’s been exploding in recent years,” Nicholas Merker, an Indianapolis, Ind.-based attorney who co-chairs Ice Miller LLP’s data security and privacy practice, said.
The laws include different definitions for connected devices. California’s law applies to any device or object that connects directly or indirectly to the internet and is assigned an internet protocol or Bluetooth address. The Oregon law similarly covers devices or objects with those requirements, but only those that are used “primarily for personal, family, or household purposes.”
Manufacturers must equip connected devices with “reasonable” security features, but neither law precisely defines the term. That may pose compliance challenges for companies, attorneys said.
California’s law exempts connected devices subject to security requirements under federal law, regulations, or federal agency guidance. Under Oregon’s law, compliance with security requirements in federal laws or regulations is considered to be reasonable security.
Connected devices sold in California and Oregon will have to be equipped with reasonable security features that are appropriate to the device’s nature, function, and data it collects or transmits, and be designed to protect the device and the information from unauthorized access, use, or disclosure.
“Having a reasonable approach lets the industry figure out what’s reasonable for specific companies,” Merker said.
Companies should think about what data the device is collecting, how it’s being used, and potential data security risks, attorneys said. Companies should consider these questions throughout a device’s design process and think about how to minimize security risks, they said.
Customers can’t directly sue manufacturers under the California law, which can be enforced by officials such as the state attorney general, and city and county officials. In Oregon, consumers will be able to sue because a violation would be considered an unlawful trade practice under state consumer protection law, attorneys said.
The laws say that devices that can be authenticated outside a local-area network can be deemed to have reasonable security if they either have a unique pre-programmed password or require a user to generate a new means of authentication before accessing the device for the first time.
The password component may boost IoT device security to protect against botnets, which are networks of computers infected by malware that can be controlled by a hacker, attorneys said. Connected devices now are sometimes sold with the same default password, they said.
“The password issue isn’t going to solve botnets,” Adrienne Fowler, a partner at Harris, Wiltshire & Grannis LLP, said. “But if you were to get every IoT device sold in the U.S. to meet these password requirements, would you substantially reduce the threat of botnets? Yeah.”
Attorneys said they expect more states to address IoT security, among other privacy and security issues, in the future. In a few other states, similar IoT bills haven’t progressed this year.
“States looking at privacy and security issues is a continuing trend. Legislatures will continue to think about these issues, how to ensure that in a data heavy economy, data is being collected, stored, and used responsibly, and that security is a top of mind issue,” Andrew Grant, a partner at Perkins Coie LLP, said.
A jurisdiction-by-jurisdiction approach, though, can be challenging for companies making IoT devices if security requirements differ by state, attorneys said.
“The more of these laws that are introduced, the more companies will have to try and find the common threads and create compliance regimes within the patchwork,” Grant said.