Near as we can tell, nearly all IoT products are being made in China these days. And near as we can tell, most of those IoT products being made in China by foreign companies are being sold in the United States, and that includes California. It therefore bears mentioning that California Governor Jerry Brown last week approved SB-327, the first information security law in the U.S. specifically targeting the IoT.
SB-327 will take effect on January 1, 2020 and it will require manufacturers of connected devices — essentially, IoT devices — to be equipped with “reasonable” security measures. These security measures must be appropriate for the nature of the devices and for the information they collect and contain and they must be designed to protect the devices from unauthorized access, destruction, use, modification, or disclosure. SB-327 also requires devices that can be accessed outside of a local area network be equipped with either a unique password or allow its users to generate their own password.
It is important to emphasize that SB-327 does not impose any requirements on users of IoT devices, but rather on manufacturers. This will essentially mean that companies that manufacture qualifying devices may need to re-do or re-develop or maybe even re-invent their IoT products.
It is also important to note that this new California law will apply to more than just California manufacturers. It will apply to any business that manufactures — either itself or through a contracting third party — qualifying devices that will be sold or offered for sale in California. Crucially, there is no threshold number for product sales in California. Consequently, pretty much any manufacturer, anywhere, could be subject to SB-327.
Complying with SB-327 may be as simple as assigning randomly generated passwords to each of your IoT devices or re-tooling your IoT device’s software or firmware to provide more robust security protection. But for some manufacturers — especially those that make devices that gather up or contain sensitive information — compliance may be more involved and may require a ground-up reinvention. And because this is California, you should expect to be sued (and sued again) if you do not comply with these new laws.
Any company that has had to deal with California’s Proposition 65 knows whereof we are speaking here. Speaking of California’s Proposition 65, this is another California law of which companies that manufacture in China and sell into California must be aware. California’s Proposition 65 regulates any substance listed by the State of California as having a 1 in 100,000 chance of causing cancer over a 70-year period or birth defects or other reproductive harm. Businesses are prohibited from knowingly exposing individuals to listed substances without providing a clear and reasonable warning.
Here though is the big issue with Proposition 65: a company whose product may cause cancer (as defined per the above) may be sued by a private party for having such a product in California. What this means is that if you are having a product made in China (or anywhere else) and that product ends up in California, you are at risk of having to pay a lot of money to lawyers to defend against such a lawsuit and of having to pay the plaintiff in such a lawsuit a lot of money to make it go away.
And let me tell you, this is not just a hypothetical risk; I know this because my law firm’s Los Angeles and San Fransisco offices deal with these sorts of cases on behalf of our clients (American, European and Asian) all the time.
If you sell your products into the United States, you should figure that will include California and you should figure that you will need to contend with SB-327 and/or Proposition 65 and don’t say we didn’t warn you.
What are you seeing out there?
Editor’s Note: This post was co-written by Griffen Thorne, a cybersecurity lawyer based in our Los Angeles office.