California adds new layer of liability through new IoT security regulation

California and Oregon have become the first US states to mandate minimum levels of cybersecurity for internet of things (IoT) devices, opening a new chapter in cyber liability. Passed in 2018, California’s IoT Security Law entered into force on 1 January. It is the first dedicated IoT security law in the US. The new rules require manufacturers of all IoT devices sold in California – no matter where they are made – to incorporate “reasonable security measures”. A similar law passed by the neighbouring state of Oregon last year was also enacted in January. The California law covers a wide range of devices that are capable of connecting to the internet. These include consumer electronics, wearables, smart home devices, security cameras, medical equipment and connected vehicles, as well as business equipment like scanners and payment card systems. Such IoT devices have been implicated in a number of cyberattacks, including some large ransomware and denial-of-service incidents. As the number of IoT devices is expected to reach 20 billion this year, concerns over new risks have increased. The World Economic Forum, for example, warned this week that 5G and the IoT could make the world more vulnerable to cyberattack. “As 5G networks roll out, the use of connected IoT devices will accelerate dramatically, massively increasing networks’ vulnerability to large-scale, multi-vector, fifth-generation cyberattacks,” it said. Such new risks have seen the introduction of these new IoT rules in California and Oregon. According to Elisabeth Case, cyber and commercial E&O advisory leader at Marsh JLT Specialty, given the proliferation of connected devices it is reasonable to assume that similar new regulation will follow in the coming months and years across other US states or international jurisdictions. “There is already a growing concern about things such as connectible medical devices and the security that they must or should contain. It is not completely out of the realm of possibility that we will see a patchwork quilt of regulations by geography and industry,” she told CRE. Regulators and policymakers in Europe are also turning their attention to the security of connected devices. In June 2019, the European Cybersecurity Act entered into force. It established an EU cybersecurity certification framework under which companies self-certify compliance with certain security standards for IoT products. The UK government is also in the midst of legislating to mandate IoT security and labelling requirements for consumer devices. In May last year, the UK consulted on its plans, proposing that retailers may only sell consumer IoT products that have an IoT security label. Under the plans, manufacturers would need to self-assess and implement the security label. But self-regulation in the UK via a Code of Practice for IoT Security published in October 2018 appears to have failed. In its May consultation paper, the UK government said a large number of consumer IoT devices continue to be sold without basic cybersecurity provisions. “Despite providing industry with these tools to help address these issues, we continue to see significant shortcomings in many products on the market,” it said. Moves to regulate IoT product security create significant obligations for companies manufacturing and selling IoT devices. However, IoT cybersecurity laws are in their infancy and the extent of liability from the new law in California is not yet clear. “Initially, it appears that manufacturers and developers of these devices might incur additional liability, however the California law does not grant a private right of action. Enforcement has been left to regulators,” explained Ms Case. Compliance with the California law is also unclear. The law does not define “reasonable security measures” or prescribe the specific actions a manufacturer should take. While the law is specific on device authentication, and bars the use of single hard-coded passwords, it does not prescribe other security measures, such as updates or encryption. IoT developers and manufacturers still lack guidance about what is going to be required under the California statute, according to Timothy Marlin, cyber product development leader at Marsh JLT Specialty. “The law requires that devices are equipped with ‘reasonable security features’ but only provides limited guidance of what that means. There are differing opinions about how strict an interpretation California regulators will take, especially as the information contained on an IoT device becomes more private – for example a smart lightbulb vs a baby monitor vs an IoT medical device,” he said. “In the end, we will have to watch and learn as the California regulators begin to bring enforcement actions,” he added. California’s new IoT security rules are not the only cyber-related legislation that came into force in January. The California Consumer Privacy Act (CCPA), inspired by Europe’s General Data Protection Regulation, introduces increased privacy rights and data protection requirements in the state and seems to have overshadowed the introduction of IoT rules. “With so much attention on the 1 January 2020 rollout of the CCPA, the new IoT rules have slipped in with significantly less scrutiny or discussion. While some clients certainly are aware of these risks, there has been very little inquiry. Most of the focus continues to be on the risks associated with data privacy,” said Ms Case.

California adds new layer of liability through new IoT security regulation

Want to read this article?

Read Next

Courage and collaboration needed to manage emerging construction sector risks

Dubai floods put $8bn of aircraft at risk, estimates Russell Group

Parima heads to Manila for first of three conferences this year

Munich Re ‘more likely’ to exceed 2024 profit target after €2.1bn gain in Q1

Insurance Europe calls for EC to ‘get it right’ on Solvency II

Courage and collaboration needed to manage emerging construction sector risks

Dubai floods put $8bn of aircraft at risk, estimates Russell Group

Parima heads to Manila for first of three conferences this year

Munich Re ‘more likely’ to exceed 2024 profit target after €2.1bn gain in Q1

Insurance Europe calls for EC to ‘get it right’ on Solvency II

Want to read this article?

Read Next

Courage and collaboration needed to manage emerging construction sector risks

Dubai floods put $8bn of aircraft at risk, estimates Russell Group

Parima heads to Manila for first of three conferences this year

Munich Re ‘more likely’ to exceed 2024 profit target after €2.1bn gain in Q1

Insurance Europe calls for EC to ‘get it right’ on Solvency II

Related Articles