California just became the first state with an Internet of Things cybersecurity law

[steven36]

California Governor Jerry Brown has signed a cybersecurity law covering “smart” devices, making California the first state with such a law. The bill, SB-327, was introduced last year and passed the state senate in late August.

 

 

Starting on January 1st, 2020, any manufacturer of a device that connects “directly or indirectly” to the internet must equip it with “reasonable” security features, designed to prevent unauthorized access, modification, or information disclosure. If it can be accessed outside a local area network with a password, it needs to either come with a unique password for each device, or force users to set their own password the first time they connect. That means no more generic default credentials for a hacker to guess.

 

The bill has been praised as a good first step by some and criticized by others for its vagueness. Cybersecurity expert Robert Graham has been one of its harshest critics. He’s argued that it gets security issues backwards by focusing on adding “good” features instead of removing bad ones that open devices up to attacks. He praised the password requirement, but said it doesn’t cover the whole range of authentication systems that “may or may not be called passwords,” which could still let manufacturers leave the kind of security holes that allowed the devastating Mirai botnet to spread in 2016.

 

But others, including Harvard University fellow Bruce Schneier, have said that it’s a good start. “It probably doesn’t go far enough — but that’s no reason not to pass it,” he told The Washington Post. While the rule is only state-wide, any device-makers who sell products in California would pass the benefits on to customers elsewhere.

 

Several Internet of Things-related bills have been introduced in Congress, but none have made it to a vote. The IoT Cybersecurity Improvement Act of 2017 would set minimum security standards for connected devices purchased by the government, but not electronics in general. Taking a separate track, the IoT Consumer TIPS Act of 2017 would direct the Federal Trade Commission to develop educational resources for consumers around connected devices, and the SMART IoT Act would require the Department of Commerce to conduct a study on the state of the industry.

 

Source

[mkc21]

meh, more laws like always everywhere, and no-one to enforce them I'm guessing.

[steven36]

2 hours ago, mkc21 said:

meh, more laws like always everywhere, and no-one to enforce them I'm guessing.

That will up to that state too enforce , laws like this set a precedent that one day  they may  be a federal law  that's something like it will pass. People on this forum  said no one would ever enforce the data breach law  ether when it 1st started out in one sate like this did, Now its a federal law , companies are being fined millions of dollars for not protecting peoples data,  So now there eating crow...