The new California IoT security bill underscores the importance of securing the IoT and will likely pave the way for clearer and more consistent standards to protect consumers and their data from fraud and abuse.
The connected devices security bill, recently signed into law by Governor Jerry Brown, requires IoT devices and other connected platforms to include “reasonable” security features in their products. While the bill’s definition of “reasonable” is vague, the legislation does make clear the importance of protecting connected devices. The bill, which goes into effect in 2020, requires IoT device makers to include features that apply appropriate security based on the information the device collects or transits. Such features are intended to protect devices from unauthorized access, destruction, unauthorized use, and modification.
This bill has teeth; IoT device manufacturers will be compelled to take security seriously or face significant financial consequences. Indeed, combined with the newly passed California Consumer Privacy Act of 2018, the bill creates a potential for costly damages after IoT device breaches. The Consumer Privacy Act allows for private consumer lawsuits against breached companies, but it also creates statutory damages of between $100 and $750 per consumer in a data breach. Breaches involving encrypted data are exempt from damages.
Let’s do the math: A relatively small data breach involving 10,000 consumers could potentially lead to fines of up to $7.5 million under the California privacy law. Make that $75 million for a breach involving 100,000 consumers.
California’s IoT security bill, meanwhile, is likely only the first of many. In recent years, the California State Legislature has become a leader in passing privacy and data protection legislation, with other states following its lead. The U.S. Congress is also paying attention to IoT security: In August 2017, a bipartisan group of senators introduced their own bill, aimed at vendors that supply the U.S. government with IoT devices.
Even if Congress or other states are slow to act, California’s bill likely will become a de facto standard for IoT security. With a significant number of IoT end users in the state, California enforcement actions involving IoT breaches will force IoT devices makers located elsewhere to rethink their security protections.
California’s pending legislation should drive more awareness about the importance of securing small devices among consumers and industry players alike. And, as device makers look to implement the security measures recommended by California, SecureRF and its partners stand at the ready to work with device makers to implement authentication and identification solutions designed to meet the specific performance and space requirements of the smallest of devices that dominate the IoT.
Need IoT security solutions for your customers? Please contact us today.