Keypoint: As of January 1, 2020, manufacturers of IoT devices will need to comply with new laws in California and Oregon.
It may be hard to believe but the California Consumer Privacy Act is not the only new law that will go into effect on January 1, 2020. Rather, new laws in California and Oregon that regulate IoT devices also will go into effect on that date. Below is an overview of those laws.
In September 2018, California became the first state to enact legislation directed at securing IoT devices.
The California legislation requires “manufacturers” of “connected devices” to equip them with “a reasonable security feature or features” that are:
- appropriate to the nature and function of the device;
- appropriate to the information the device may collect, contain or transmit; and
- designed to protect the device and any information contained in it from unauthorized access, destruction, use, modification, or disclosure.
The law further provides that if a connected device is equipped with a means for authentication outside a local area network, it shall be deemed a “reasonable security feature” if the preprogrammed password is either unique to each device or the device contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time.
The law defines “connected device” as “any device, or other physical object that is capable of connecting to the internet, directly or indirectly, and that is assigned an Internet Protocol address or Bluetooth address.”
It defines “manufacturer” as “the person who manufactures, or contracts with another person to manufacture on the person’s behalf, connected devices that are sold or offered for sale in California.”
Notably, the law exempts certain activities from its requirements. For example, it does not impose a “duty upon the manufacturer of a connected device related to unaffiliated third-party software or applications that a user chooses to add to a connected device.” It also does not apply “to any connected device the functionality of which is subject to security requirements under federal law, regulations, or guidance promulgated by a federal agency pursuant to its regulatory enforcement authority.” And the law exempts HIPAA covered entities and business associates to the extent the activity in question is covered by that act.
Oregon’s legislation was modeled on California’s law and therefore shares many similarities.
One notable difference is that Oregon’s legislation defines “connected device” to mean “a device or other physical object that “[c]onnects, directly or indirectly, to the Internet and is used primarily for personal, family or household purposes” and “is assigned an Internet Protocol address or another address or number that identifies the connected device for the purpose of making a short-range wireless connection to another device.” (Emphasis added.) The inclusion of the phrase “used primarily for personal, family or household purposes” is a potentially significant limitation for IoT manufacturers.
The Oregon legislation also contains a different definition of “manufacturer,” stating that the term “means a person that makes a connected device and sells or offers to sell the connected device in this state.” In comparison, California’s law defines manufacturers to include any entity that “contracts with another person to manufacture [the connected device] on the person’s behalf.”
As with the California statute, Oregon’s law requires manufacturers to equip connected devices with “reasonable security features.” The law defines that term to mean “methods to protect a connected device, and any information the connected device stores, from unauthorized access, destruction, use, modification or disclosure that are appropriate for the nature and function of the connected device and for the type of information the connected device may collect, store or transmit.”
A reasonable security feature “may consist of” a means for authentication from outside a local area network, including a “preprogrammed password that is unique for each connected device” or a “requirement that a user generate a new means of authentication before gaining access to the connected device for the first time.” The law also provides that a reasonable security feature may consist of “compliance with requirements of federal law or federal regulations that apply to security measures for connected devices.”
The law contains a number of exclusions, including exclusions for entities subject to HIPAA “with respect to any action that [HIPAA] regulates” and a “connected device, the functions of which are subject to and comply with the requirements, regulations and guidance that the United States Food and Drug Administration promulgates under 21 C.F.R. parts 800 to 1299 or other requirements, regulations and guidance the United States Food and Drug Administration promulgates with respect to medical devices, including software as a medical device.”
With approximately two months to go until they go into effect, entities subject to these new laws should be reviewing these laws and taking steps to ensure that they are in compliance.