Image from Open Clip Art via
It’s been hailed as a ‘first of its kind’ Internet of Things (IoT) bill. The California State Legislature passed an IoT security related bill titled, ‘SB-327 Information Privacy: Connected Devices’. It is now over to the state governor for final approval.
Essentially the new law, when it comes into effect, will introduce regulations for all connected devices sold in the United States.
Here’s the exact wording of the legislation:
1798.91.04. (a) A manufacturer of a connected device shall equip the device with a reasonable security feature or features that are all of the following:
(1) Appropriate to the nature and function of the device.
(2) Appropriate to the information it may collect, contain, or transmit.
(3) Designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.
(b) Subject to all of the requirements of subdivision (a), if a connected device is equipped with a means for authentication outside a local area network, it shall be deemed a reasonable security feature under subdivision (a) if either of the following requirements are met:
(1) The preprogrammed password is unique to each device manufactured.
(2) The device contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time.
According to a report in the Washington Post, cybersecurity researchers are split on the bill. Those against it are saying it fails to address the core issues that make connected devices vulnerable to hacks. The opposition says it could lay the groundwork for stronger IoT cybersecurity legislation at both the state and federal level.