Gov. Jerry Brown has signed two bills that could make manufacturers of Internet-connected devices more responsible for ensuring the privacy and security of California residents.
Brown signed Assembly Bill 1906 by Assemblywoman Jacqui Irwin, D-Thousand Oaks, and Senate Bill 327 by state Sen. Hannah-Beth Jackson, D-Santa Barbara. Both require manufacturers of connected devices to equip them with a “reasonable security feature or features” that are appropriate to their nature and function, and the information they may collect, contain or transmit — and are designed to protect the device and its information from “unauthorized access, destruction, use, modification or disclosure.” They define "connected device" as a device with an Internet Protocol (IP) or Bluetooth address, and capable of connecting directly or indirectly to the Internet.
“This bill basically directs those manufacturers to equip their devices with reasonable security features,” Jackson said, adding she thinks the legislation is “the first of its kind” calling on companies to take responsibility for considering the security aspects of their devices as they’re developed and produced.
The question of what defines a “reasonable security feature or features” is one of several that industry groups — among them, the Security Industry Association, the National Electrical Manufacturers Association (NEMA) and the California Manufacturers and Technology Association (CMTA) — cited in their opposition to AB 1906. The CMTA said the bills are an attempt to “create a cybersecurity framework by imposing undefined rules on California manufacturers,” but instead create a loophole allowing imported devices to “avoid implementing any security features.” This, it said, makes the state less competitive and less attractive to manufacturers while increasing the risk of cyberattacks.
“We recommend an approach that would ensure that all connected devices are compliant and secure, no matter where they are produced. These two innovation-stifling measures not only fail to protect consumers, but will drive away California manufacturing investment,” the CMTA said.
The Entertainment Software Association, one of three industry groups including NEMA that are opposed to SB 327, said existing law already requires manufacturers to set up “reasonable privacy protections appropriate to the nature of the information they collect.”