In today’s world, a wide range of products connect to the Internet to collect and share data wirelessly. These products include everything from household appliances such as coffee makers, refrigerators and baby monitors to connected vehicles, manufacturing equipment and medical devices. The Internet of Things (IoT) presents tremendous opportunity; McKinsey projects the number of IoT devices around the world to grow to 43 billion by 2023 — nearly three times more than in 2018.
The proliferation of these devices has raised concerns about the risk of hacking and unauthorized access. As a result, state and federal lawmakers have begun to take action to regulate IoT device security. For example, California and Oregon have already passed laws that will require manufacturers to incorporate mandatory minimum security features in IoT devices beginning Jan. 1, 2020. Similar measures have been introduced in a number of other states.
Federal legislators also have introduced a number of IoT bills that are pending in the House and Senate. Since regulation of these devices is on the rise, it is imperative that IoT device manufacturers begin considering the risks associated with their products and take measures to ensure that consumer data remains secure.
California is the first state to have enacted legislation regulating the security of IoT devices. Starting in 2020, connected devices that are manufactured, sold or offered for sale in California must be equipped with “reasonable security” features. Under California law, the onus to ensure that a connected device is “reasonably secured” rests with the manufacturer. What constitutes “reasonable security” under California law is not precisely defined, because whether a feature is reasonable will necessarily depend upon the nature and use case for the specific device (e.g., a security feature that is reasonable for a connected coffee pot may not be reasonable for a connected health device).
In light of this, California provides three broad parameters to evaluate the reasonableness of a particular security feature. To be deemed reasonable, a security feature must be:
- Appropriate to the nature and function of the device;
- Appropriate to the information it may collect, contain, or transmit; and
- Designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification or disclosure.
A number of states have considered legislation like California's and a similar measure in Oregon, including Illinois, Kentucky, Massachusetts, Maryland, New York, Rhode Island, Vermont and Virginia. To date, none of the proposed bills were enacted. The proposals considered in 2019 have generally followed California’s model, requiring manufacturers to build “reasonable” security features into their connected devices, with some variations.
The passage of IoT device security legislation in California signals the start of a specific legal framework governing IoT. In view of the growing concern over IoT device security at both the state and federal level, more legislation is likely to follow, with the potential for stricter minimum security standards in the future. Penalties for non-compliance could be significant, particularly if lawmakers opt to provide for a private right of action or impose minimum statutory damages per violation, which could give rise to costly class-action lawsuits.
Manufacturers should take action to understand the requirements in California in advance of the upcoming Jan. 1 implementation date, and continue to pay close attention to developing IoT laws and initiatives in the coming year.
Authors Jennifer Richter, Karen Milne and Virginia Hiner are with Akin Gump Strauss Gauer & Feld LLP. Richter is a partner representing technology and communications companies and investors; Milne is senior counsel who advises clients in regulatory and commercial matters in the broadcast, satellite, telecommunications, wireless and high-technology industries; and Hiner is an associate in the firm's communications and information technology practice.
