Dec 01, 2019It may be hard to believe, but the California Consumer Privacy Act is not the only new law that will go into effect on Jan. 1, 2020. Rather, new laws in California and Oregon that regulate Internet of Things (IoT) devices will go into effect on that date as well. Below is an overview of those laws.
California
In September 2018, California became the first state to enact legislation directed at securing IoT devices. The California legislation requires "manufacturers" of "connected devices" to equip them with "a reasonable security feature or features" that are appropriate to the nature and function of the device; appropriate to the information the device may collect, contain or transmit; and designed to protect the device and any information contained in it from unauthorized access, destruction, use, modification or disclosure.
The law further provides that if a connected device is equipped with a means for authentication outside a local area network, it shall be deemed a "reasonable security feature" if the preprogrammed password is unique to each device or if the device contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time.
The law defines a "connected device" as "any device, or other physical object that is capable of connecting to the internet, directly or indirectly, and that is assigned an internet protocol address or Bluetooth address." It defines "manufacturer" as "the person who manufactures, or contracts with another person to manufacture on the person's behalf, connected devices that are sold or offered for sale in California."
Notably, the law exempts certain activities from its requirements. For example, it does not impose a "duty upon the manufacturer of a connected device related to unaffiliated third-party software or applications that a user chooses to add to a connected device." It also does not apply "to any connected device the functionality of which is subject to security requirements under federal law, regulations or guidance promulgated by a federal agency pursuant to its regulatory enforcement authority." And the law exempts HIPAA-covered entities and business associates to the extent that the activity in question is covered by that act.
Oregon
Oregon's legislation was modeled on California's law and, therefore, shares many similarities. One notable difference is that Oregon's legislation defines "connected device" to mean "a device or other physical object" that "connects, directly or indirectly, to the Internet and is used primarily for personal, family or household purposes" and "is assigned an internet protocol address or another address or number that identifies the connected device for the purpose of making a short-range wireless connection to another device." The inclusion of the phrase "used primarily for personal, family or household purposes" is a potentially significant limitation for IoT manufacturers.
The Oregon legislation also contains a different definition of "manufacturer," stating that the term "means a person that makes a connected device and sells or offers to sell the connected device in this state." In comparison, California's law defines manufacturers to include any entity that "contracts with another person to manufacture [the connected device] on the person's behalf."
As with the California statute, Oregon's law requires manufacturers to equip connected devices with "reasonable security features." The law defines that term to mean "methods to protect a connected device, and any information the connected device stores, from unauthorized access, destruction, use, modification or disclosure that are appropriate for the nature and function of the connected device and for the type of information the connected device may collect, store or transmit."
A reasonable security feature "may consist of" a means for authentication from outside a local area network, including a "preprogrammed password that is unique for each connected device" or a "requirement that a user generate a new means of authentication before gaining access to the connected device for the first time." The law also provides that a reasonable security feature may consist of "compliance with requirements of federal law or federal regulations that apply to security measures for connected devices."
The law contains a number of exclusions, including for entities subject to Health Insurance Portability and Accountability Act (HIPAA) "with respect to any action that [HIPAA] regulates" and a "connected device, the functions of which are subject to and comply with the requirements, regulations and guidance that the United States Food and Drug Administration promulgates under 21 C.F.R. parts 800 to 1299 or other requirements, regulations and guidance the United States Food and Drug Administration promulgates with respect to medical devices, including software as a medical device."
With approximately two months to go until these new laws go into effect, entities subject to them should be reviewing these laws and taking steps to ensure that they are in compliance.
David M. Stauss is a partner at Husch Blackwell LLP and a co-leader of the firm's privacy and data security practice group. David regularly assists clients in preparing for and responding to data security incidents, including managing multi-state breach notifications. He also regularly counsels clients on complying with existing and emerging privacy and information security laws, including the European Union's General Data Protection Regulation (GDPR), the California Consumer Privacy Act of 2018 (CCPA), and state information security statutes. He can be reached at david.stauss@huschblackwell.com.
Robert J. Bowman is a Denver-based partner in Husch Blackwell's Technology, Manufacturing & Transportation industry group and a co-leader of the firm's internet of things team. He can be reached at bob.bowman@huschblackwell.com.
Malia Rogers is an attorney in Husch Blackwell LLP's Denver office and assists clients on emerging data privacy issues.
