An Introduction to California’s Upcoming IoT Regulations

An Introduction to California’s Upcoming IoT Regulations

As Internet of Things (IoT) devices continue to grow in popularity, new cybersecurity standards and regulations will be needed to protect users’ information. Recently, California Governor, Jerry Brown, signed a new cybersecurity law that covers such “smart devices.” This was Senate Bill 327, which was introduced last year and passed the state Senate on August 29th, 2018. This makes California the first state to have such a law. Starting on January 1st, 2020, any manufacturer of a device that connects directly or indirectly to the internet must equip their device(s) with “reasonable” security features, i.e., those features designed to prevent unauthorized access, modification, or information disclosure. If a device can be accessed outside of a local area network with a password, it must come with a unique password for each device or force users to set their own password if they’re connecting for the first time.


The Problem with Hard-Coded or Default Passwords in IoT

Despite the simplicity of using passwords as a security method, using default (or hard-coded) passwords in the Internet of Things poses a great security threat. Often, IoT devices will ship with a default password for the initial log-on and setup process. However, when default passwords are the same across a product range, there is a great security risk. To add, it’s estimated that 15% of IoT device owners fail to change their default passwords. Hackers are keenly aware of this vulnerability and have begun creating malware and botnets which exploit these default passwords. Though users can try to protect themselves by running regular audits on their IoT devices or changing their passwords on a protected network, it will be much easier to manage security risks if IoT vendors put measures in place to prevent hard-coded and default credentials. The new SB-327 law will require that vendors include such safeguards.


Details of the Bill

A passage in SB-327 calls for a “reasonable security feature … appropriate to the nature and function of the device.”  That is, devices must be equipped with features that meet at least one of the two following requirements:

“(1) The preprogrammed password is unique to each device manufactured,

“(2) The device contains a security feature that requires a user to generate a new means of

authentication before access is granted to the device for the first time.”

The law does not address any specific security technologies (i.e., encryption or tokenization). The upside of this is that IoT devices come in many types and have many uses, with each of them requiring different security measures, so the law can be applied flexibly.



Senate Bill 327 also outlines those scenarios which it does not address. The law does apply to any 3rd-party software that a user installs, and it does not mandate that retailers or software providers review the compliance of a device. SB-327 doesn’t apply to devices sold only to federal agencies or the military. It does not allow manufacturers to obstruct law enforcement agency access to a device with these required features. Also, the new law doesn’t yet list any penalties for non-compliance; enforcement of the law is in the hands of government agencies.

The bill does not provide a private right of action. Only the Attorney General, a city attorney, a county council, or a district attorney can enforce the law. The bill doesn’t, however, name any penalties or remedies that can be conferred by these entities.

To learn more about how our solutions can help you to secure your Internet of Things applications, visit here: