IoT and Its Legal Implications

The “Internet of things” (IoT) is the extension of internet connectivity into physical devices and everyday objects, from baby monitors to pacemakers, from toasters to televisions, from DVRs to printers, from thermostats to lights.[1]  Embedded with internet connectivity, software and sensors, IoT devices can communicate and interact with each other in real-time over the internet, and can be remotely monitored and controlled, creating a host of cyber security, privacy, and other concerns.  Compounding these threats is the problem that due to their small size, many IoT devices have significant operational and computational constraints, which can limit their ability to implement basic security measures such as firewalls and encryption.[2]

For example, computer-controlled devices in automobiles, such as brakes, engines, locks and hood releases, have been shown to be vulnerable to attackers able to hack into an on-board network.[3]  In 2016, a distributed denial of service attack powered by IoT devices running malware caused major internet platforms and services to be unavailable to large segments of users in Europe and North America.[4]  Affected services included Amazon, CNN, DirecTV, PayPal, Pinterest, Starbucks, Twitter, Verizon, and many others.[5]  In another instance, researchers confirmed that some IoT baby monitors are susceptible to attack, allowing hackers to use and control their built-in cameras remotely to spy on home occupants.[6]  In yet another example, Revolv home automation devices were “bricked” or rendered completely useless when Nest Labs, following its acquisition by Google,  shut down the servers that the Revolv devices had used to operate.[7]

Problems such as these are by no means isolated and have spawned much debate over if and how IoT privacy and security concerns can be addressed.

California recently became the first state to enact legislation to address IoT cyber security.  Effective January 1, 2020, California’s IoT law, currently known as SB-327, will require manufacturers of internet-connected devices, including TVs, phones, toys, household appliances and routers among others, to ensure that their products have “reasonable security features” to protect the device and information therein from “unauthorized access, destruction, use, modification or disclosure.”[8]  The Act provides that a device has reasonable security features if a “preprogrammed password is unique to each device” or the device requires a user to “generate a new means of authentication before access is granted to the device for the first time.”[9]  Beyond that, there is no further guidance for manufacturers of IoT devices.  Moreover, the California law will apply to any “manufacturer” of IoT devices sold or offered for sale in California, even if the manufacturer has no operations in California, which is potentially very far-reaching.[10]

Additionally, former United States Attorney General Jeff Sessions has claimed that SB-327 is unconstitutional, noting that the Constitution prohibits states from regulating interstate commerce.[11]  Further still, SB-327 does not create a private right of action.  Instead, only the California Attorney General, a city attorney, a county counsel, or a district attorney have the right to enforce SB-327.[12]  It seems peculiar to entrust the enforcement of a civil cybersecurity law affecting millions if not billions of IoT devices to the government.

While SB-327 has not yet gone into effect and while the U.S. Department of Justice has taken no action with respect to SB-327, it will be interesting to see how effective the new California IoT legislation will be in practice.— James V. Fazio, III

 

[1] https://en.wikipedia.org/wiki/Internet_of_things

[2] https://www.hindawi.com/journals/wcmc/2018/9373961/

[3] https://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/

[4] https://techcrunch.com/2016/10/21/many-sites-including-twitter-and-spotify-suffering-outage/

[5] https://en.wikipedia.org/wiki/2016_Dyn_cyberattack#cite_note-:0-2

[6] https://www.theregister.co.uk/2018/06/22/baby_monitor_hacked/

[7] https://arlogilbert.com/the-time-that-tony-fadell-sold-me-a-container-of-hummus-cb0941c762c1

[8] https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180SB327.  The law is codified at Title 1.81.26 commencing with Section 1798.91.04 of California’s Civil Code.

[9] Cal. Civ. Code §1798.91.04(b).

[10] Cal. Civ. Code §1798.91.05(c).

[11] https://www.securityweek.com/california-iot-cybersecurity-bill-signed-law

[12] Cal. Civ. Code §1798.91.06(e).