IoT Security Legislation: How Far Does It Need to Go?

In a world full of IoT devices, it seems inevitable that some form of regulation would eventually be put in place to deal with concerns around privacy and security. California, hoping to set the standard for data security, is poised to enact the first state law in the U.S. to do just that.

Two bills currently sit on Governor Jerry Brown’s desk setting out new requirements for all devices sold in California that connect directly or indirectly to the internet with assigned internet protocol or Bluetooth addresses. This new legislation states that these IoT products must contain some type of built-in security against cyberattack by January 2020, appropriate to the nature and function of the device. Is it enough?

Some critics say these bills, while a good start, are too vague, and run the risk of introducing huge costs to consumers. On the one hand, the legislation states that manufacturers will be responsible for the embedded security features for all devices sold in California. However, there is no mention of the components from other countries that the manufacturers use to assemble their products. Should manufacturers be responsible for a security check on these purchased components? A variety of interest groups will have much to say in the coming months. This Washington Post piece breaks it down nicely.

Moving forward, most agree that although security legislation is a step in the right direction, more needs to be done to fill in the gaps and implement controls in the IoT sector.

It’s just another way that IoT and smart devices need to get smarter.