Consumer Reports outlines its concerns about AB 2392, which would add a new safe harbor to the state’s requirement to keep the data of internet-connected, or “Internet of Things” (IoT) devices secure. Internet-connected devices like smart speakers and cameras are growing in popularity, leaving more and more consumers vulnerable to security breaches. In 2018, California adopted a first-of-its-kind law requiring manufacturers to adopt reasonable security procedures to keep IoT devices protected from hackers. Unfortunately, because the 2018 measure already included a safe harbor for enabling a device with a password — even though passwords are just one element of reasonable security — existing law does not adequately protect the security of these devices.
This bill, AB 2392, proposes to add a new safe harbor to the IoT security requirement — for compliance with the recent National Institute of Standards and Technology (NIST) labeling framework — compounding the problems with the existing law. Neither safe harbor is suited to constitute reasonable security. At the very least, we recommend replacing the existing safe harbor for unique passwords in Cal. Civ. Code 1798.91.04(b) with a stronger safe harbor, similar to the one proposed in this bill, but adjusted to account for updates to the NIST document.
First, lawmakers must remove the safe harbor in Cal. Civ. Code 1798.91.04(b) for new or unique passwords. Passwords can be accessed or circumvented, and they should not by themselves be considered reasonable security. It is easy to set up a unique-password remote connection while leaving devices unsecured. Gizmodo points out how easy it is for attackers to obtain your password, including by “someone simply guessing it, using a phishing attack to make you enter it into a compromised site, or using a brute-force attack to try a huge number of combinations in rapid succession (which many apps and sites will now stop from happening).” And according to CSO, “Password-only protection is permanently broken, and any organization relying on it is placing its business and reputation at risk.”
This bill proposes to add a new safe harbor, but this fails to address the underlying problems with the law. And because the proposed safe harbor is so specific, it is likely to be outdated fairly quickly. Under the bill, the security requirement is satisfied if a third party assesses that the manufacturer of a connected device meets the baseline criteria of NIST’s Feb. 4, 2022 Cybersecurity White Paper, “Recommended Criteria for Cybersecurity Labeling for Consumer Internet of Things (IoT) Products,” and the product is labeled as such. This is stronger than the existing safe harbor, including because it requires obtaining a third-party assessment for adherence to the security criteria, as well as a labeling requirement to help guide consumers. But the existing safe harbor still remains, and further, using a specific, dated paper as a safe harbor for compliance means that it could become outdated as technology changes. Data security language should be flexible so that businesses can adapt their security techniques to respond to new threats. Data security statutes around the country, including California’s security requirement for data owned, licensed, or maintained by a business, reflect this.
Of course, a safe harbor isn’t necessary at all: for companies seeking more guidance, there are a number of security standards available; Consumer Reports has helped develop the Digital Standard for this purpose. Any company that could show that it adhered to one of these standards could have a reasonable defense against claims of wrongdoing.
For the full letter, please see the attached PDF.