Back in early 2015, the Federal Trade Commission (FTC) was the first government entity to take action with regard to IoT device security. They released a report asking that companies that were developing Internet connected devices take proactive steps to protect consumers’ privacy, while also keeping their data secure. The state of Oregon has just joined California as the second state to regulate IoT devices. This is a trend that I see continuing, as I suspect that more states will seize the opportunity to require that reasonable security measures be taken in the development of products that are capable of Internet connections. Manufacturers need to take notice of this trend now, so that they are positioned to comply with these emerging privacy and data security laws as they get passed. The following article describes more about these two state’s laws and what to expect down the road.
Beginning in January 2020, two states will begin regulating the Internet of Things (IoT).
California enacted its law last year, which applies to “any device, or other physical object that is capable of connecting to the Internet, directly or indirectly, and that is assigned an IP or Bluetooth address.”
The definition encompasses everything from thermostats to televisions to fitness trackers, refrigerators, automobiles, security cameras, and devices such as the Amazon Echo and Google Home.
Manufacturers of connected devices are required to implement “reasonable” security features that are appropriate to the nature and function of the device; appropriate to the information collected by, contained in or transmitted by the device; and designed to protect the device and information it contains from unauthorized access, destruction, use, modification or disclosure. The new law also mandates that each connected device must be equipped with a password to authenticate the user before she is granted access to the device for the first time. The password can be either a unique preprogrammed password or a user-generated means of authentication.