A bill to ensure information privacy in connected devices is waiting for Gov. Jerry Brown's signature.
AB 1906 would require smart devices to include baked-in security measures. Such devices could include virtual assistants, connected doorbells and locks, and Wi-Fi-enabled climate controls.
"This bill, beginning on January 1, 2020, would require a manufacturer of a connected device, as those terms are defined, to equip the device with a reasonable security feature or features that are appropriate to the nature and function of the device, appropriate to the information it may collect, contain, or transmit, and designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure, as specified," the bill states.
The legislation is written to enable innovation and minimize the need for the attorney general to enforce it, said the bill's author, Assemblymember Jacqui Irwin. Irwin, chair of the Select Committee on Cybersecurity, spoke to Techwire in an interview.
"We were trying to make something simple and just address the authentication and passwords," she said.
The baseline of such security would be requiring new passwords when a consumer begins using the device.
"When you're talking about security, a lot of what you're talking about also is making sure no one can hack into your private information because it's exposed," Irwin said.
Some companies, especially large ones like Amazon and Google, already include security measures, but the legislation will apply to all vendors. This is meant to protect privacy and the ability to modify devices.
"Computer hygiene plays into both of those areas. Your information is not protected if you have not taken basic security steps to protect it."
The bill defines security features and authentication as a way to provide security and verify users, as well as connected devices. Those devices include anything assigned an Internet Protocol or Bluetooth address.
Medical devices and similarly federally regulated devices will be exempt from the bill because they are already managed at the federal level.
The requirements would be applied to personal and commercial products.
Groups such as California Manufacturers & Technology Association, California Chamber of Commerce and TechNet believed that the first versions were too vague in what would be considered reasonable measures.
A twin bill, SB 327, authored by state Sen. Hannah-Beth Jackson, must also be signed into law for either bill to go into effect.
