In September of this year, with SB 327, California stepped into the vanguard of information age law by passing a cybersecurity regulation on the Internet of Things. SB 327 has added new sections to Cal. Civil Code §1798. Specifically, §1798.91 et seq. While this seems to be a good thing, the larger question is what does it do, and how far does it reach?

What does it Do?

In a nutshell, the law requires the manufacturer of a “connected device” to 1) equip it with reasonable security feature(s) appropriate to a) the nature and function of the device; b) the information it may collect, contain, or transmit; and 2) ensure those security features are designed to protect the device and any information within from unauthorized access, destruction, use, modification, or disclosure.

Recognizing the inherent ambiguity “reasonable security feature(s)” may cause, fortunately the drafters of the law provided some clarification:  If the device is subject to authentication outside a local area network, should it contain either a unique pre-programmed password; or the device requires a user to generate a new means of authentication prior to initial access being granted; then such security feature is reasonable.

Note that this is a “reasonableness test” just for the authentication aspect of the device. The rest of the requirements in Cal. Civil Code §1798.91.04(a) will still mandate reasonable security beyond just the authentication aspects of the device.

How Far does it Reach?

“Connected device” is defined quite broadly. Under the definition, all the IoT devices we have discussed in previous posts should be covered by the law. Additionally, the law makes it apparent that manufacturers are the primary party subject to the requirements. Additionally, it applies to manufacturers located anywhere, even outside of California, if they sell or offer devices for sale in California.

Why does this Matter?

This law will have far reaching effects because the world we live in is a connected world. The Internet of Things is technology that increasingly influences everyone’s life and any business that manufactures devices are increasingly making those devices “connected”.

Until now, no such cybersecurity law existed. The legal landscape for around when OEMs had to incorporate cybersecurity was a veritable wild west. Adoption of this measure now mandates security measures be “baked” into the device before human user intervention. “Reasonable security” is now “table stakes” for anyone selling a smart device in California – which is nearly everyone.

Of course, there is much debate about what “reasonable security” might be. Under SB 327 there is some guidance, but it is still limited. Section 1798.91.04 does provide a floor for authentication requirements with the mandate that either a unique preprogrammed password will be provided OR the user won’t be able to use the device until the password is changed. However, there is still some question as to what the rest of the requirements will need to be to “protect the device and any information within from unauthorized access, destruction, use, modification, or disclosure.” Still,  California has taken the vanguard position in regulating IoT devices specifically. The Federal government and other states have not looked at this question from a “connected device” perspective. Most other laws imposing cybersecurity requirements talk about a “system”, which can include devices, but can also include other controls (e.g. network security, physical security, etc.).

So is this a problem? 

Just a few observations to keep in mind:

  • First, this is a California state specific law. There is no federal law on this issue. This can create preemption and constitutionality questions – adding to the uncertainty of compliance.
  • Second, “reasonable security” outside the authentication protocols of the device are still ambiguous. This leaves businesses with looking at standards like NIST guidelines, which can be overwhelming, or taking the risk they their security is deemed inadequate “after the fact”.
  • Third, SB 327 expressly carves out third-party software from being subject to this title. However, the interconnectivity of such third-party software may well be the source of a security breach – the NIST guidelines recognize this. As such, is it reasonable security to not consider how a device interacts with third-party software? This approach seems to fail to consider how devices (and software) are built today.

Fortunately, SB 327 does not include a private right of action – so the plaintiff’s bar will be limited in what they can do. Unfortunately, city and county attorney’s do have authority to enforce the law. This means that an activist city attorney may well force a device manufacturer into court.

In any event, SB 327 can be seen as the beginning of a trend which sees OEMs responsibilities expand beyond merely making sure their devices are safe, but also making sure the software inside the device is safe.

Seyfarth Shaw Offers Data Privacy & Protection in the EU-U.S. Desktop Guide and On-Demand Webinar Series

On May 25, 2018, the EU General Data Protection Regulation (“GDPR”) will impose significant new obligations on all U.S. companies that handle personal data of any EU individual. U.S. companies can be fined up to €20 million or 4% of their global annual revenue for the most egregious violations. What does the future passage of GDPR mean for your business?

Seyfarth’s eDiscovery and Information Governance (eDIG) and Global Privacy and Security (GPS) practitioners are pleased to announce the release of Data Privacy & Protection in the EU-U.S.: What Companies Need to Know Now, which describes GDPR’s unique legal structure and remedies, and includes tips and strategies in light of the future passage of the GDPR.

How to Get Your Desktop Guide:

To request the Data Privacy & Protection in the EU-U.S. Desktop Guide as a pdf or hard copy, please click the button below:

GDPR Webinar Series

Throughout August and October of 2017, Seyfarth Shaw’s attorneys provided high-level discussions on risk assessment tools and remediation strategies to help companies prepare and reduce the cost of EU GDPR compliance. Each segment is one hour long and can be accessed on-demand at Seyfarth’s Carpe Datum Law Blog and The Global Privacy Watch Blog.

For updates and insight on GDPR, we invite you to click here to subscribe to Seyfarth’s Carpe Datum Law Blog and here to subscribe to Seyfarth’s The Global Privacy Watch Blog.

When you bring to mind someone “hacking” a computer one of the images that likely comes up is a screen of complex code designed to crack through your security technology.  Whereas there is a technological element to every security incident, the issue usually starts with a simple mistake made by one person.   Hackers understand that it is far easier to trick a person into providing a password, executing malicious software, or entering information into a fake website, than cracking an encrypted network — and hackers prey on the fact that you think “nobody is targeting me.”

Below are some guidelines to help keep you and your technology safe on the network.

General Best Practices

Let’s start with some general guidelines on things you should never do with regards to your computer or your online accounts.

First, never share your personal information with any individual or website unless you are certain you know with whom you are dealing.  Hackers often will call their target (you) pretending to be a service desk technician or someone you would trust.  The hacker than asks you to provide personal information such as passwords, login ids, computer names, etc.; which all can be used to compromise your accounts.  The best thing to do in this case, unless you are expecting someone from your IT department to call you, is to politely end the conversation and call the service desk back on a number provided to you by your company.  Note, this type of attack also applies to websites. Technology exists for hackers to quickly set up “spoofed” websites, or websites designed to look and act the same as legitimate sites with which you are familiar.  In effect this is the same approach as pretending to be a legitimate IT employee; however, here the hacker entices you to enter information (username and password) into a bogus site in an attempt to steal the information.  Be wary of links to sites that are sent to you through untrusted sources or email.  If you encounter a site that doesn’t quite look right or isn’t responding the way you expect it to, don’t use the site.  Try to access the site through a familiar link. Continue Reading Cybersecurity Best Practices

Cross-posted from Carpe Datum Law

On May 25, 2018, the EU General Data Protection Regulation (“GDPR”) will impose significant new obligations on all U.S. companies that handle personal data of any EU individual. U.S. companies can be fined up to €20 million or 4% of their global annual revenue for the most egregious violations. What does the future passage of GDPR mean for your business?

Our experienced eDiscovery and Information Governance (eDIG) and Global Privacy and Security (GPS) practitioners will present a series of four 1-hour webinars in August through October of 2017. The presenters will provide a high-level discussion on risk assessment tools and remediation strategies to help prepare and reduce the cost of EU GDPR compliance. Continue Reading Is your organization ready for the new EU General Data Protection Regulation?

The 2017 edition of The Legal 500 United States recommends Seyfarth Shaw’s Global Privacy & Security Team as one of the best in the country for Cyber Law (including data protection and privacy). In addition, based on feedback from corporate counsel, the co-chairs of Seyfarth’s group, Scott A. Carlson and John P. Tomaszewski, and Seyfarth partners Karla Grossenbacher (head of Seyfarth’s National Workplace Privacy Team) and Richard D. Lutkus were recommended in the editorial. Richard Lutkus is also listed as one of 14 “Next Generation Lawyers.”

The Legal 500 United States is an independent guide providing comprehensive coverage on legal services and is widely referenced for its definitive judgment of law firm capabilities.