California’s IoT Security Law is Well-Intentioned, but a Comprehensive Federal Law is Needed (Guest Blog Post)

by guest blogger Jeff Kosseff

  • The views expressed in this post are only those of the author, and do not represent the Naval Academy, Department of Navy, or Department of Defense.

The playbook is familiar: the federal government fails to address a crucial cybersecurity or privacy issue, and California’s state legislature steps in to set its own rules.  It happened with data breach notification in 2002, student online privacy in 2014, and data protection this summer.  And last week, California Gov. Jerry Brown signed SB 327, making California the first state to regulate Internet of Things security.

The new law is a valiant attempt to address an increasingly important issue: the security of devices that are connected to the Internet.  But the law is not terribly effective in addressing the underlying threats, and a single state should not set the IoT security standards for the entire nation.

Unlike this summer’s California Consumer Privacy Act — an unmitigated disaster passed hurriedly out of fear of a more onerous ballot initiative – the IoT law is a product of more reasoned debate.  It addresses a critical cybersecurity issue that federal lawmakers have ignored for too long.  Nearly four years ago, the Federal Trade Commission staff released a report in which it noted “broad agreement” that “increased connectivity between devices and the Internet may create a number of security and privacy risks.” But even as connected devices proliferate, Congress has failed to pass legislation to regulate IoT security.

California’s new IoT law attempts to fill that gap by requiring manufacturers of connected devices to embed “reasonable” security features that are: (1) “[a]ppropriate to the nature and function of the device,” (2) “[a]ppropriate to the information it may collect, contain, or transmit,” and (3) “[d]esigned to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.”

So what do manufacturers need to do to comply with this arguably vague requirement?  It’s not entirely clear.  If the device can authenticate outside of a LAN, the law states, the manufacturer must ensure that either “[t]he preprogrammed password is unique to each device manufactured” or “[t]he device contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time.”  Other than that, there isn’t much guidance as to how a manufacturer could comply with the new law.

The bill addresses a pervasive and critical flaw in many IoT devices – the use of default, easily guessed default passwords.  But as Robert Graham noted, the California law only addresses one of many IoT vulnerabilities:

The bill does target one insecure feature that should be removed: hardcoded passwords. But they get the language wrong. A device doesn’t have a single password, but many things that may or may not be called passwords. A typical IoT device has one system for creating accounts on the web management interface, a wholly separate authentication system for services like Telnet (based on /etc/passwd), and yet a wholly separate system for things like debugging interfaces. Just because a device does the proscribed thing of using a unique or user generated password in the user interface doesn’t mean it doesn’t also have a bug in Telnet.

Graham also correctly notes that the law is “backwards looking,” doling out blame for past attacks rather than preventing future incidents.

Beyond the concerns about the limited technical efficacy of the bill, I worry that other states will follow suit and adopt their own IoT security bills.  If they decide to adopt conflicting requirements, IoT device manufacturers will need to comply with all of the state laws.  Even if each state law would lead to a net improvement in security, compliance with all of the laws would be burdensome and, in some cases, impossible.

There is precedent for such chaos.  Every state has adopted a data breach notification law, and many of the laws contain different notification content requirements and thresholds for when notification is required.  Because the breach notice laws apply based on the state of the data subject’s residence, U.S. companies effectively must comply with all 50 notification laws.  This means, for instance, that a North Dakota resident might be notified of a data breach, while a South Dakota resident would not be notified of the same breach.  And Massachusetts prohibits data breach notices from describing how a breach occurred, while other states require such description.

Like data breach notice laws, the California IoT law will apply to companies regardless of whether they have any operations in California.  The law applies to any IoT “manufacturer,” which it broadly defines as “the person who manufactures, or contracts with another person to manufacture on the person’s behalf, connected devices that are sold or offered for sale in California.”

IoT security laws would be even more burdensome than the breach notice laws.  While companies could satisfy state breach notice requirements by sending different notices based on their customers’ residence, it would be impossible to manufacture different connected devices based on the security requirements of each state.  The states have no obligation to coordinate with each other to ensure that their requirements are harmonious.

Private parties do not have the authority to sue under the California law; rather, the law delegates enforcement exclusively to the California Attorney General, city attorneys, county counsels, and district attorneys.  I question the wisdom or efficacy of empowering a district attorney to enforce the cybersecurity of a global, multi-billion-dollar industry.

IoT security is an inherently interstate issue.  Under the Dormant Commerce Clause, courts have struck down state laws that are unduly burdensome, extraterritorial, or inconsistent.  As I argue in a forthcoming article in Wake Forest Law Review, state cybersecurity regulations may fall into all three categories of laws that the Dormant Commerce Clause prohibits.  The Framers entrusted Congress with the duty to regulate interstate commerce because they already had attempted a state-by-state approach to commercial regulation.  It didn’t work out so well.

The California law should be a wake-up call to Congress to address IoT and so many other pressing cybersecurity issues.  Last year, the Senate passed the Developing Innovation and Growing the Internet of Things Act, which creates a working group to present an Internet of Things report to Congress.  Also last summer, a bipartisan group of senators introduced the Internet of Things (IoT) Cybersecurity Improvement Act of 2017, which would regulate the security of IoT devices sold to the federal government.  The bill has not moved out of the Senate Homeland Security and Governmental Affairs Committee.

Rigorous federal cybersecurity laws, rather than patchworks of state requirements, provide uniform standards to guide compliance.  Moreover, federal laws are more likely to be informed by subject-matter experts.  Congressional committees can rely on skilled legislative staffers and federal agencies such as the National Institute of Standards and Technology.  And there is growing momentum to revive the Office of Technology Assessment, a legislative office whose technologists produced in-depth reports for Congress until it was shuttered in 1995.  Even without OTA, Congress has access to more resources and expertise than any single state, and is better positioned to regulate emerging fields such as IoT.