How Far Does California’s New IoT Security Law Reach?

[via Synack]

On January 1, 2020, California’s new Internet of Things (IoT) Security Law goes into effect. The law is the first IoT-specific security law in the United States and, simply put, requires all IoT devices sold in California to be equipped with reasonable security measures. The law requires that the connected device be equipped with “reasonable security features” appropriate to the nature and function of the device and the information it may collect or transmit, and designed to protect the device and any information within from unauthorized access, destruction, use, modification or disclosure. IoT equipment suppliers are being asked to implement “security by design”. The FCC states the definition as “A development practice that reduces cyber risk by using a disciplined process of continuous testing, authentication safeguards and adherence to best development practices.” Many are speculating if other states will adopt similar laws, but in the meantime, the California market is too big for suppliers to walk away from and many are trying to understand how these laws will impact their products.