Gov. Jerry Brown has signed two bills that could make manufacturers of Internet-connected devices more responsible for ensuring the privacy and security of California residents.
The governor's office announced on September 28 that Brown had signed the legislation, Assembly Bill 1906 and Senate Bill 327. He had until the end of the day on Sept. 30 to do so. Both bills will become law in about 15 months, on Jan. 1, 2020. That delayed effect, one of the lawmakers behind the legislation said, is designed to hold industry accountable but not stifle innovation or unduly burden it with regulation. Senate Bill 327 is the older of the two and was introduced in Feb. 2017 by state Sen. Hannah-Beth Jackson, D-Santa Barbara, but as currently amended, the senator told Government Technology, is “pretty much a mirror” of AB 1906, introduced in January by Assemblywoman Jacqui Irwin, D-Thousand Oaks.
Both require manufacturers of connected devices to equip them with a “reasonable security feature or features” that are appropriate to their nature and function, and the information they may collect, contain or transmit — and are designed to protect the device and its information from “unauthorized access, destruction, use, modification or disclosure.”
The bills also specify that if such a device has a “means for authentification outside a local area network,” that will be considered a reasonable security feature if either the preprogrammed password is unique to each device made; or the device requires a user to create a new “means of authentication” before initial access is granted.
They define "connected device" as a device with an Internet Protocol (IP) or Bluetooth address, and capable of connecting directly or indirectly to the Internet.
Jackson said she’s had “concerns about privacy issues for many, many years,” and was prompted to act last year after hearing from constituents and learning that the My Friend Cayla smart doll, which had been banned in Germany due to concerns about the safety of children, had not been banned in the U.S. She questioned how IoT devices including microwaves, thermostats and security cameras were securitized and was shocked by the lack of security she found.
“This bill basically directs those manufacturers to equip their devices with reasonable security features,” Jackson said, adding she thinks the legislation is “the first of its kind” calling on companies to take responsibility for considering the security aspects of their devices as they’re developed and produced.
However, the question of what defines a “reasonable security feature or features” is one of several that industry groups — among them, the Security Industry Association, the National Electrical Manufacturers Association (NEMA) and the California Manufacturers and Technology Association (CMTA) — cited in their opposition to AB 1906.
In a statement provided to GT, the CMTA said the bills are an attempt to “create a cybersecurity framework by imposing undefined rules on California manufacturers,” but instead create a loophole allowing imported devices to “avoid implementing any security features.” This, it said, makes the state less attractive to manufacturers, less competitive and increases the risk of cyberattacks.
“We recommend an approach that would ensure that all connected devices are compliant and secure, no matter where they are produced. These two innovation-stifling measures not only fail to protect consumers, but will drive away California manufacturing investment,” the CMTA said.
The Entertainment Software Association, one of three industry groups including NEMA that are opposed to SB 327, said existing law already requires manufacturers to set up “reasonable privacy protections appropriate to the nature of the information they collect.”
Jackson said the bills still leave it to industry to use “their best judgment” to determine reasonable security and disagreed with the idea that the bills might create a loophole for imported devices.
“The concern, I think, is misplaced, because when the products are sold in this country, they will have to meet those standards even if they’re manufactured elsewhere,” she said.
State law would have allowed the bills to become law if they were neither signed by Brown nor vetoed — but both pieces of legislation specified they must be signed by the governor and can only become law if the other bill is also signed. A member of Jackson’s staff characterized this as a provision aimed at ensuring both houses remain on the same footing.
Editor's Note: This story has been updated to indicate that the Governor signed both pieces of legislation. An earlier version was published before this was reported.