eDiscovery Daily Blog

• September 19, 2018

As I noted a couple of months ago, 2018 is certainly on its way to becoming the year of data privacy rights for the individual and, back then, California passed a new data privacy law which will give consumers several rights regarding their personal data (though the California AG doesn’t seem thrilled about it).  Now, California is once again poised to take the lead on important new technology policy.

As reported by The Washington Post (The Cybersecurity 202: California’s Internet of Things cybersecurity bill could lay groundwork for federal action, written by Derek Hawkins), a bill to set cybersecurity standards for Web-connected devices — from thermostats to webcams to cars — is awaiting Governor Jerry Brown’s signature after cruising through the state legislature late last month. If Brown signs it, California would become the first state to pass legislation to govern security of Internet of Things (IoT) devices, which experts say is crucial as these products proliferate and malicious hackers find new ways to exploit them.  Like the data privacy law passed back in June, this one (if signed by Governor Brown) also takes effect on January 1, 2020.

However, many cybersecurity researchers argue the California bill (SB-327) fails to address the core issues that make connected devices vulnerable to hacks. Nonetheless, it could lay the groundwork for stronger IoT cybersecurity legislation at both the state and federal level. California’s bill, if signed by Brown, could rekindle the national discussion in a similar way to how landmark privacy law the state recently approved helped spur high-level talks between the Commerce Department and tech giants about federal privacy regulations.

Policymakers grew more concerned about vulnerabilities in IoT devices after the massive Mirai botnet attack in 2016 highlighted just how poorly secured many such devices are. In that incident, hackers exploited weaknesses in webcams and other connected devices and used them to launch cyberattacks that took down Netflix, Spotify and other major websites for hours.

There’s legislation on the table in Congress that would go further. The Internet of Things Cybersecurity Improvement Act, introduced by Virginia Senator Mark R. Warner and Colorado Senator Cory Gardner, would use the federal government’s buying power to boost IoT security. Under the bill, any companies that do business with the federal government would have to ensure that their connected devices are patchable, come with passwords that can be changed, and are otherwise free of known security vulnerabilities. Another bill, the Securing IoT Act, would require the Federal Communications Commission to create cybersecurity standards for certifying wireless equipment.  However, those efforts and others have so far failed to gain traction, despite bipartisan agreement that some sort of federal standards may be necessary.

As for the California bill, some experts said its broad language was too vague to be effective, and offered an example of how not to approach IoT security. Well-intended as it might be, the bill “would do little improve security, while doing a lot to impose costs and harm innovation,” according to security researcher Robert Graham.

I guess we’ll see what happens with that bill as well as other efforts to regulate the security of IoT devices.  As usual, it will probably take a few well publicized hacks before any serious progress is made.  We take for granted how many IoT devices we use these days – maybe I’ll have to conduct a survey soon to get a sense of how many IoT devices each of us uses and what types.  That would be interesting!

So, what do you think?  Will the California IoT bill make a difference?  Please let us know if any comments you might have or if you’d like to know more about a particular topic.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.