A new California law sets mandatory internet of things device security rules. So if suppliers must build to meet the law in that state, they will likely sell the same device everywhere else.
The new law takes effect on January 1, 2020. In contrast to existing California data privacy laws protecting personal information, the new law aims to protect the security of both IoT devices and any information contained on IoT devices.
The law requires a manufacturer that sells or offers to sell a connected device in California to equip the device with a reasonable security feature or features, including:
- Appropriate to the nature and function of the device
- Appropriate to the information it may collect, contain, or transmit
- Designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure."
While the law only vaguely defines the term "security feature," it requires security whenever a connected device can be authenticated outside a local area network. Well, in an age of cloud computing, that is virtually all devices.
Reasonable security features include:
- The preprogrammed password is unique to each device manufactured"
- The device contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time."
So what is a “connected device?” "Any device or other physical object that is capable of connecting to the Internet, directly or indirectly, and that is assigned an Internet Protocol address or Bluetooth address."
Sort of any device, in other words.
No comments:
Post a Comment