California Becomes First State to Regulate Internet-Connected Devices

Privacy & Cybersecurity Update

Date: October 10, 2018

Long a pioneer in consumer protection legislation, California has moved to the front of the line in regulating the so-called Internet of Things. On September 28, 2018, Governor Jerry Brown signed a landmark cybersecurity bill that makes California the first state to pass legislation regulating internet-connected devices, beating even the federal government to the punch. The law comes at a time when more and more internet-connected products are hitting the shelves and entering our homes. For example, just this past September, Amazon introduced a number of new Alexa-enabled products, including subwoofers, clocks and car gadgets. Policymakers have expressed growing concern over the security of internet-connected devices and their potential vulnerability to cyberattacks and other abuses, and California has taken the first steps toward addressing those concerns through legislation.

Effective January 1, 2020, Senate Bill No. 327 Information Privacy: Connected Devices (SB 327) will require a “manufacturer” of a “connected device” to equip the device with a reasonable security feature or features. For purposes of SB 327, “connected device” includes a wide variety of devices, covering any physical object that is capable of connecting directly or indirectly to the internet and has an internet protocol (IP) or Bluetooth address. “Manufacturer” refers to any person who manufacturers, or contracts with any person to manufacture, connected devices that are sold in California.

Under the new law, to meet the “reasonable security features” standard, the product’s security measures must be:

  • appropriate to the nature and function of the device;
  • appropriate to the information it may collect, contain or transmit; and
  • designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification or disclosure.

In addition to those general guidelines, SB 327 adds an additional specific requirement for passwords. If accessible outside of a local area network, to meet the “reasonable security features” standard, the device must have either preprogrammed passwords that are unique to each device (so, no more default login credentials), or a way to generate new authentication credentials before accessing it for the first time. This specific provision of SB 327 addresses concerns around the relative ease with which default passwords can be guessed by hackers.

Early reactions to the bill by industry participants are mixed, with some praising the flexibility of the general guidelines and others maintaining that the lack of flexibility will make the law hard to interpret. We will keep you informed of further developments as SB 327 is applied by regulators and the courts and guidance is issued so that you can be in the best position to comply.


For more information, please contact:

Thomas F. Zych

Steven G. Stransky

Darcy M. Brosky

Craig A. Foster

Dann Bruno

This advisory bulletin may be reproduced, in whole or in part, with the prior permission of Thompson Hine LLP and acknowledgement of its source and copyright. This publication is intended to inform clients about legal matters of current interest. It is not intended as legal advice. Readers should not act upon the information contained in it without professional counsel.

This document may be considered attorney advertising in some jurisdictions.