Last Updated on June 29, 2021
California Senate Bill 327, “Information privacy: connected devices” took effect on January 1, 2020. It requires all Internet of Things (IoT) devices sold in the state to be equipped with “reasonable security.”
But SB 327 is “a bill of few words.” In fact, it’s incredibly short—especially for a piece of legislation. Ironically, its brevity is what makes the law a challenge to interpret.
The only IoT security requirements that SB 327 explicitly spells out are for manufacturers to equip any device “with a means for authentication outside a local area network” with this “reasonable security feature”:
- The preprogrammed password is unique for each device manufactured, and/or
- The device requires a user to generate a new means of authentication before granting first access.
Many people are misinterpreting that language and thinking, “OK, great, we do that; we’re done.” But the bill further defines “reasonable security features” as being:
- Appropriate to the nature and function of the device;
- Appropriate to the information the device may collect, contain or transmit; and
- Designed to protect the device and any data on it from unauthorized access, destruction, use, modification or disclosure.
Authentication controls certainly fall within the above description. But they may not be the only controls a device needs to comply with SB 327. Importantly, the California Attorney General’s Office has clarified that “reasonable security” includes being aligned with “an authoritative information security standard” like ISO 27001 or the Center for Internet Security’s Critical Security Controls.
So do you need an ISO 27001 certification for your device to be SB 327 compliant?! Hopefully not. But you might need to do more than just require a unique password.
For one thing, features “appropriate to the nature and function of the device” could arguably encompass not just the device itself, but also its wider IoT ecosystem.
An IoT device often includes an embedded application, and/or a mobile app to configure and interact with it. And don’t forget the cloud components, be they cloud infrastructure tools, a web app and/or APIs that the device consumes. If the physical device alone is “secure” but these other components that are integral to using the device are not secure, then the device could be deemed out of compliance with SB 327.
Defining reasonable IoT device security based on its deployment context would also vary with the intended use case. For example, a device intended to be mounted outside a private home that turns a light on when it senses motion would logically be held to a different standard of “reasonable security” than a device that shuts down a nuclear reactor when it senses specific conditions.
Further, SB 327 says reasonable IoT device security needs to be appropriate to the type of data the device handles. Data that is subject to other laws and regulations (e.g., personal health information (PHI)) or has greater risk associated with it will presumably be held to a higher standard of protection.
By extension, if an IoT device manufacturer designs a device intended to process PHI to be HIPAA-compliant, that would present a strong argument to the CA AG that “reasonable security” was applied, as HIPAA is designed to protect PHI.
Where does privacy come into play in SB 327? This is a big gray area due to all the overlap between security and privacy controls. To ensure compliance, many manufacturers will probably want to comply with relevant security and privacy guidelines.
Meanwhile, below this analysis of IoT security requirements lurks a deeper question—what makes a device an IoT device in the first place? SB 327 says, “Connected device means any device, or other physical object that is capable of connecting to the Internet, directly or indirectly, and that is assigned an Internet Protocol address or Bluetooth address.”
That’s a pretty broad definition! And according to the ioXt Alliance, “the global standard for IoT security,” a huge range of devices from cell phones to smart home controls to portable medical devices to automotive technology to pet trackers to routers have been “certified secure.”
Has it now become easier to define what’s not an IoT device? That was the conversational drift during a recent episode of The Virtual CISO Podcast with IoT experts Aaron Guzman and John Yeoh from the Cloud Security Alliance. One thing is clear: IoT continues to morph into an ever more vast, amorphous and complex realm.
Concerned about IoT security, including secure IoT development, IoT device testing or SB 327 compliance? Contact Pivot Point Security.