Privacy & Data Security Law News

INSIGHT: Sizing Up California’s New Password Legislation—A Dumb Law for Smart Devices?

Feb. 11, 2019, 9:01 AM

Passwords are a hassle. Even with more than 1.4 billion passwords available for sale on the dark web, people reuse the same passwords across multiple platforms and consistently opt for simpler and weaker passwords.

Companies do something similar. Technology manufacturers typically offer a range of products that all come preloaded with the same default passwords. Often, these are never changed—exposing the end user to persistent threats.

When the technologies in question are internet-enabled, the threat suddenly becomes much more wide ranging and insidious. It’s not just WiFi routers and thermostats.

Think about the password protection (or lack thereof) used for your smart assistant that “listens” to everything you say, ready to respond to your questions. Think of the connected baby monitors and nanny cams watching your children, or the robot vacuum cleaners storing detailed floor maps of your home.

Outside of the home, things get even more important to protect. Factory machines could be made vulnerable through the Industrial Internet of Things. In hospitals, the stakes are even higher, with the Internet of Medical Things touching millions of connected medical devices.

Without strong, frequently changed passwords, any efforts at network security will be dead in the water. That’s why California Gov. Jerry Brown signed legislation in October requiring connected devices to be equipped with “reasonable security features,” including a ban on weak passwords. Despite claims to the contrary, the legislation is both smart and necessary.

What’s in the California Information Privacy Legislation?

The new “Information Privacy: Connected Devices” law applies to connected devices like those that make up the Internet of Things. The law requires manufacturers to:

  • Include a “preprogrammed password … unique to each device manufactured” or “a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time.”
  • Include security features that “protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.”
  • Cease utilizing passwords like “admin” or “password” from 2020 on.

Can the Law Be Enforced?

It’s not clear, practically speaking, how enforceable the law will be.

The law applies to anyone selling connected devices in California. Some types of mainstream device—like robot vacuums or baby monitors — are sold primarily over the counter, directly to consumers. Those are relatively easy for inspectors to check.

But many devices are sold to businesses. Sometimes, the connected device will be embedded in another product and then sold on. That can make it hard for the California authorities to spot connected devices to ensure they’re compliant.

Of course there is another option for compliance monitoring. When connected enterprise environments are breached, there is typically a post-mortem cyber forensic investigation. If weak credentials were present on the network, the investigation will find as much.

In some sensitive industries, like healthcare and insurance companies, for example, the breached organizations are required to disclose the circumstances of the breach often the findings of the subsequent investigation. Publicly traded companies whose bottom lines may have been affected by a breach are similarly compelled to release details of their environmental vulnerabilities.

By slapping additional fees on the tech manufacturers supplying these organizations and whose products were found to be in violation of the law, California may be able effectively outsource the oversight regime need to enforce the law.

Is the ‘Bad Passwords’ Law a Good Idea?

The California password law is not without controversy. Some critics claim the government shouldn’t force businesses to take commonsense security measures. These critics argue that free markets are better suited to promote healthy business behavior and demote stupidity, without government intervention. This thinking is mistaken, however.

The famous Tragedy of the Commons comes to mind and poignantly demonstrates the fact that, in a crowded and confused marketplace, smart legislation is instrumental in imposing the order and perspective needed to direct all parties to mutually preferred outcomes.

Among device manufacturers, software vendors, users, and third-party security providers, for example, it’s not always clear who should take responsibility for ensuring best practices. Who, for instance, is responsible for setting passwords on products that involve all of the above? How is the relevant information coordinated between the other stakeholders? Who is responsible for managing the passwords after they’ve been initially set?

Legislation can play a part in answering these questions and drawing a clear responsibility matrix. Which is exactly what the California password law does.

The law’s value comes less through its enforcement and more through making it clear who is responsible for what and raising the collective costs associated with poor cybersecurity posture.

Contrary to the “all regulation is bad regulation” argument, California’s law internalizes economic externalities and rewards positive business practices.

California has a reputation as America’s legislative laboratory. Rather than shying away from tough problems assumed to be impervious to government intervention, California approaches the challenge as a testing ground for creative new solutions.

History shows that knowing better doesn’t necessarily mean doing better. This is certainly the case when it comes to network security. The Wannacry ransomware attack impacted computers that hadn’t been updated with a months-old security patch. The Target data breach of 2013—which impacted more than 60 million customers—was made possible by compromised credentials stolen from a third party.

Author Information

Safi Oranski is vice president of Business Development at CyberMDX where he drives global strategic programs. He joins CyberMDX from Centrica Business Solutions where he was Head of Business Alliances and IoT. He has a law degree from the IDC, Herzliya, and an MBA from Northwestern University Kellogg School of Management.

To read more articles log in. To learn more about a subscription click here.