California Sets the Bar for IoT Security Regulations
You may not operate out of California, but once again, the Golden State is leading the charge with regulations that can have a lasting impact on your IT infrastructure. Considering the amount of business that comes out of California and the growing surge of devices connected to the IoT, you should definitely be ready for this mandate at the start of the new year.
Earlier in 2019, California Governor Jerry Brown signed into law a new bill aimed at regulating the security of IoT devices, which is set to go into effect Jan. 1.
The goal of the law is to better address the risks increased connectivity brings to the workplace. However, it may leave more questions than answers. Broad guidance and lack of clarity around what a “reasonable security feature” make it difficult for organizations responsible for complying with the law. It’s a good first step to better securing IoT devices, but it fails at outlining specific instruction.
The bill defines a connected device as “any device, or other physical object that is capable of connecting to the Internet Protocol address or Bluetooth address.” For anyone on the security team attempting to determining whether a device fits within their company’s security policy, this definition could be problematic. Connected devices include anything from computers to thermostats to copy machines and employees’ personal fitness monitors.
Also under the new law, a reasonable security feature is outlined as one that is “appropriate to the nature and function of the device, appropriate to the information it may collect, contain or transmit, and designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification or disclosure, as specified.” The law also calls for better authentication and password management.
However, under the California Department of Justice’s California Data Breach Report from February 2016, it defined compliance with the CIS Critical Security Controls as the “floor” for reasonable cybersecurity. Yet the CIS 20 isn’t specific to IoT devices, and the application of some of the CIS controls on IoT devices doesn’t make any sense, leading to confusion between the 2016 report and the new law.
The law’s biggest mistake is the fact that it refers to a set of controls that are not meant for IoT device security. The good news for any company worries about noncompliance is that the law prohibits private parties from suing under California law. Enforcement, instead, is delegated to the California Attorney General, city attorneys, county counsels and district attorneys. Also little specificity is given to the types of penalties, max penalties, or how officials plan to prove a violation occurred.
This new regulation may not affect you right away, but it is always good to be prepared for copycat legislation that might arise where you do business. 2W Tech has IT Consultants on staff who specialize is security solutions and the IoT. Contact us today to get started on minimizing your security risks and ensure your compliance obligations are met.