Security
relating to the Internet of Things is starting to get regulated.
The first IoT security law was signed by California Gov. Jerry Brown, making the state the first in the U.S. to require
smart device makers to include security in their products.
The new law, to take effect in January 2020, “would require a manufacturer of a connected device to
equip the device with a reasonable security feature or features that are appropriate to the nature and function of the device, appropriate to the information it may collect, contain or transmit, and
designed to protect the device and any information contained from unauthorized access, destruction, use, modification or disclosure.”
Security features could include
preprogrammed passwords unique to each device or device security features that require a user to generate a new means of authentication before access is granted to the device for the first
time.
The law would impact any person or company that manufacturers smart or connected devices sold or offered for sale in California. The bill was approved by the California
Assembly and Senate in late August before being signed by the governor late last week.
The reality is that the leading connected device brands are highly aware of security issues
and plan accordingly.
The law may be one incentive to push security features into smart devices, but a much larger incentive is the negative impact a brand can experience when a
security flaw is detected in one of its products by the public. Negative national or even global publicity can cause much more damage to a brand than most legal penalties for a smart product security
lapse.