The countdown is on for businesses seeking to comply with the California law taking effect Jan. 1, 2020. Described as the “first of its kind,” the law will create significant compliance obligations for organizations across a broad range of sectors.
But it's not the infamous law you're thinking of: the California Consumer Privacy Act. This is a separate law that establishes new security requirements for technologies referred to as the internet of things.
California’s IoT law will regulate organizations that manufacture (or contract with another company to manufacture) certain types of connected devices that are sold or offered for sale in California. “Connected device” is defined under the new law as “any device, or other physical object that is capable of connecting to the internet, directly or indirectly, and that is assigned an Internet Protocol address or Bluetooth address.”
The law will require IoT device manufacturers to equip each connected device “with a reasonable security feature or features” that are:
- Appropriate to the nature and function of the device.
- Appropriate to the information the device may collect, contain or transmit.
- Designed to protect both the device and any information it contains from unauthorized access, destruction, use, modification or disclosure.
The law further provides that if a connected device is equipped with a “means for authentication outside a local area network” and is either pre-programmed with a unique password or “requires a user to generate a new means of authentication before access is granted to the device for the first time,” the device is presumed to satisfy the “reasonable security feature” requirements.
More laws on the horizon
Although the need for greater IoT security is self-evident, the implementation of California’s IoT law in conjunction with the introduction of disparate federal laws and foreign regulations in this area may impose significant burdens on national and international businesses. In particular, if this trend continues, IoT security law may join privacy law in being riddled with competing standards and inconsistencies that will overwhelm companies with compliance obligations.
This is perhaps one of the more challenging, if not the most frustrating, aspects of data privacy compliance: the sheer volume of legal requirements. Businesses must comply with state, federal and foreign laws that all contain divergent requirements and standards. For example, each U.S. state has its own laws governing when and how organizations must notify individuals, law enforcement agencies and credit agencies of a data breach.
In addition, state and federal laws set forth different requirements for how health care providers, financial institutions and other businesses provide notice of their data processing activities. And Nevada’s recent law affording individuals the right to request that businesses not sell their personal information stands in stark contrast to the “do not sell” requirements within the CCPA. Of course, foreign data protection laws, such as the EU General Data Protection Regulation, impose additional requirements that, in certain circumstances, may be in direct contrast with U.S. domestic legal obligations.
Legislators need to recognize these regulatory burdens and ensure that IoT security laws do not follow the same model. However, to date, lawmakers have not recognized the need for uniformity. Since 2017, there have been at least 15 bills introduced in Congress seeking to regulate or are otherwise related to IoT security. In May 2019, the U.K. announced its plan to introduce a new security law for IoT manufacturers that requires mandatory security labeling and could prohibit the sale of nonconforming devices. In June 2019, the European Cybersecurity Act entered into force, which, among other things, establishes a European cybersecurity certification framework under which companies in the EU must meet and certify compliance with applicable security standards for their products, processes and services.
Identifying 'reasonable' IoT security features
Although some governments are moving toward legislation that imposes specific security features or certification schemes, these frameworks will not assist businesses that need to comply with California’s new IoT law, which requires that security measures meet an ambiguous standard of “reasonableness.” However, this does not mean that businesses lack guidance. In August 2019, the National Institute of Standards and Technology published its first draft of “Core Cybersecurity Feature Baseline for Securable IoT Devices,” which followed its June publication, “Considerations for Managing Internet of Things Cybersecurity and Privacy Risks.” While not a set of rules for manufacturers to follow, the NIST publications provide valuable guidance intended to promote the best available practices for mitigating risks to IoT security.
Additionally, in 2017, the European Union Agency for Cybersecurity published its “Baseline Security Recommendations for IoT,” followed by multiple publications that provide guidance on various IoT security requirements, such as mapping critical assets and relevant threats, assessing possible attacks, and identifying potential good practices and security measures to protect IoT systems. ENISA also issued a May 2019 publication, “Industry 4.0 Cybersecurity: Challenges and Recommendations,” which offers guidance specific to the manufacturing sector. The ISA/IEC 62443 series of standards, developed by the ISA99 Committee, provides a framework to address and mitigate current and future security vulnerabilities in industrial automation and control systems. In particular, the IEC 62443 series addresses policies and practices for system integration, secure development life cycle requirements, IACS components security specifications, and security requirements and security levels.
These and similar guidelines provide common approaches to IoT security. For example, IoT security guidelines often recommend the following features as a core part of IoT security:
- Security by design.
- Identification and authentication protocols.
- Secure reconfiguration processes.
- Encryption and data protection at rest and in transit.
- Limiting access to local and network interfaces.
- Allowing for secure software and firmware updates.
- Security incident logging.
An important aspect of any compliance program, including IoT security compliance, is the development and maintenance of internal processes for identifying new legal requirements and documenting compliance with them. For example, an organization should consider developing a security impact assessment that will enable it to identify whether the creation of a new IoT product implicates any regulatory security requirements to ensure that it incorporates the proper features. The organization should also document (and retain in a secure format) the necessary security features for each device. Such processes and documentation will not only assist in the pre-manufacturing process, but also with any potential post-production audit by regulatory authorities.
It is commonly thought that IoT devices are more vulnerable to cyberattacks than traditional connected technology because they often lack the processing power needed to support conventional data and infrastructure protection, such as firewalls and antivirus and anti-malware programs. Moreover, the devices often contain “back doors” to enable remote access, which create weaknesses that can be exploited.
Although domestic and foreign lawmakers, including California’s, recognize the importance of security for these devices, they have not reached consensus as to what form or type of security is necessary. Accordingly, as businesses develop IoT security features and processes, they should look to the common recommendations established across industries, as they will likely form the foundation for future certification standards.