California passes first U.S. Internet of Things cybersecurity law

Broadly speaking, Internet of Things (IoT) refers to equipping objects with computing devices that enable them to connect to the internet and send and receive data. As the product ecosystems of companies evolve, and as consumers demand increased functionality from their everyday devices, IoT is becoming increasingly commonplace in everything from supply chain management to coffee makers.  

However, these connected “smart” devices create access points into both the device itself, and the larger network to which that device is connected, thereby creating an opportunity for third party hackers with nefarious motives to penetrate the network system. Cybersecurity is a growing concern as it pertains to IoT devices, as a cyber breach could result in not only detrimental financial and reputational consequences, but also bodily injury or property damage.
California recently became the first U.S. state to pass an IoT cybersecurity law. Senate Bill No. 327 was introduced last year and passed the state senate in August 2018. Coming into force on 1 January 2020, the law requires any manufacturer of a device that connects “directly or indirectly” to the internet to equip it with “reasonable” security features designed to prevent unauthorized access, destruction, use, modification, or information disclosure. If the device is equipped with a password outside a local area network, then (1) the preprogrammed password must be unique to each device manufactured, or (2) the device must contain a security feature that requires the user to generate a new password before using the device for the first time. Theoretically, this requirement will prevent hackers from guessing the generic default credentials. Manufacturers affected will include the person or entity who manufactures, or contracts with another person to manufacture on their behalf, connected devices that are sold or offered for sale in California. While no specific sanctions or fines are set out, the bill states that the Attorney General, a city attorney, a county counsel, or a district attorney shall have the exclusive authority to enforce the legislation.
While the bill has received mixed feedback from cybersecurity experts, the consensus is that it represents a step in the right direction.  While other IoT-related bills have been introduced in the U.S., none have yet been voted on. Canada currently has no dedicated IoT law. The Personal Information Protection and Electronic Documents Act (PIPEDA), the federal legislation which governs the protection of personal information in the course of commercial activities, remains the overarching privacy legislation in Canada. However, whether the data that a particular IoT device collects represents personal information, as defined within PIPEDA, is a discussion too nuanced for the scope of this article.
As a compliment to robust internal compliance mechanisms, cyber liability insurance can help organizations, including manufacturers, looking to transfer some of the risk that can arise out of a cyber or privacy breach or non-compliance with privacy laws. A cyber policy provides coverage for the costs an organization incurs to manage a cyber or privacy breach. The policy also covers defence costs, judgments and settlements where the organization is involved in third party litigation or a regulatory proceeding. If the cyber liability insurance policy contains robust wording, coverage may be available for fines for non-compliance with privacy legislation, if those fines are insurable under the law. For those organizations using connected devices, coverage for bodily injury or property damage that results from an IoT-related hack may be available through an endorsement or rider added to a property insurance policy. If this is a concern for your organization, an experienced insurance broker will be able to advise you of appropriate risk transfer solutions.