California’s IoT Security Law

The Internet of Things (“IoT”) law attempts to address critical cybersecurity issues that federal lawmakers have ignored for too long. Nearly four years ago, the Federal Trade Commission staff released a report in which it noted
“broad agreement” that “increased connectivity between devices and the Internet may create a number of security and privacy risks.” But even as connected devices proliferate, Congress has failed to pass legislation to regulate IoT security. The new law tries to fill that gap by requiring manufacturers of connected devices to embed reasonable security features that are: (1) appropriate to the nature and function of the device, (2) appropriate to the information it may collect, contain, or transmit, and (3) designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.