Search icon CANCEL
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Conferences
Free Learning
Arrow right icon

California passes the U.S.' first IoT security bill

Save for later
  • 3 min read
  • 25 Sep 2018

article-image

California likes to be leading the way when it comes to digital regulation. Just a few weeks ago it passed legislation that looks like it could restore net neutrality. Now, a bill designed to tighten IoT security, is with the governor awaiting signature for it to be carried into California state law.

The bill, SB-327 Information privacy: connected devices, was initially introduced in February 2017 by Senator Jackson. It was the first legislation of its kind in the US. Approved at the end of August, it will come into effect at the start of 2020 once signed by Governor Jerry Brown.

Read next: IoT Forensics: Security in an always connected world where things talk

What California’s IoT bill states


The new IoT security bill covers another of important areas. For example, for manufacturers, IoT devices will need to contain certain safety and security features:

  • Security should be appropriate to the nature and function of the device.
  • The feature should be appropriate to the information an IoT may collect, contain, or transmit.
  • It should be designed to protect the device and information within it from unauthorized access, destruction, use, modification, or disclosure.


If an IoT device is requires authentication over the internet, further conditions need to be met, such as:

  • The preset password must be unique to each device that is manufactured.
  • Unlock access to the largest independent learning library in Tech for FREE!
    Get unlimited access to 7500+ expert-authored eBooks and video courses covering every tech area you can think of.
    Renews at €18.99/month. Cancel anytime
  • The device must ask the user to generate a new authentication method before being able to use it for the first time.


It’s worth noting that the points mentioned above for IoT security are not applicable to IoT devices that are subject to security requirements under federal law. Also a covered entity like a health care provider, business associate, contractor, or employer subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) or the Confidentiality of Medical Information Act is exempt from the title points mentioned.

The IoT is a network of several of devices that connect to the internet via Wi-Fi. They are not openly visible as most of them are used in a local network but often do not have many security measures. The bill doesn't have any exact definitions for a ‘reasonable security feature’ but provides a few guiding points in interest a user’s security.

The legislation states:

“This bill, beginning on January 1, 2020, would require a manufacturer of a connected device, as those terms are defined, to equip the device with a reasonable security feature or features that are appropriate to the nature and function of the device, appropriate to the information it may collect, contain, or transmit, and designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure, as specified.”

Criticisms of the IoT bill


Some cybersecurity experts have criticised the legislation. For example, Robert Graham writes on his Security Errarta blog that the bill is “based on a superficial understanding of cybersecurity/hacking that will do little improve security, while doing a lot to impose costs and harm innovation.”

He explains that “the point [of good cybersecurity practice] is not to add ‘security features’ but to remove ‘insecure features’.”

Graham’s criticisms underline that while the legislation might be well-intentioned, whether it will be impactful remains another matter. This is, at the very least, a step in the right direction by a state that is keen to take digital security and freedom into its own hands.

You can read the bill at the California Legislative information website.

How Blockchain can level up IoT Security

Defending your business from the next wave of cyberwar: IoT Threats