Last week, California Governor Jerry Brown signed into law SB-327. This will be first U.S. cybersecurity law covering the Internet of Things (IoT): a notoriously porous area of modern endpoint security perimeters.
The California IoT Cybersecurity Law will come into enforcement on January 1, 2020. Here are some of the key takeaways from this brand new law:
- Manufacturers of connected devices like IoT must equip the device with reasonable security features appropriate to the nature and function of the device.
- These IoT security features must be appropriate to the information the device collects, contains, or transmits.
- The security features must protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.
- Preprogrammed passwords installed in IoT devices must be unique to each device manufactured.
- If the device does not have a preprogrammed passwords, users must set their own password the first time they connect.
The California IoT Cybersecurity Law has been praised and criticized in equal measure. Those in favor praise the law as a much needed first step to better digital perimeter security. Criticisms tend to focus on the law not addressing the negative aspects of the IoT which can cause data breaches.
The IoT has long suffered from blatant security risks. IoT manufacturers often don’t place any endpoint security on their IoT devices or place minimal security which is difficult to update or replace. Many devices come with default standard credentials shared among them that can be exploited to access any network the device connects. Whether the California IoT Cybersecurity Law disrupts this pattern of complacency remains to be seen, but it can be seen as an indication of changes to come.
Latest posts by Ben Canner (see all)
- How Your Enterprise Can Better Secure The Endpoint - July 18, 2019
- The 11 Coolest Endpoint Security CEOs of 2019 - July 16, 2019
- Enterprise Endpoint Security FAQ - July 11, 2019