With the increasing pervasiveness of smartphones across the globe, it’s becoming more common for companies to want to connect their products and devices to the Internet, since connectivity typically adds value to consumers’ experiences with these products and devices. Connectivity also helps companies compete in a highly connected world. However, connectivity can also be a bit of a double-edge sword, creating security vulnerabilities and privacy concerns where there were none before. This is especially the case when the most basic of cybersecurity hygiene is ignored by manufacturers and/or consumers or when cybersecurity best practices are simply unknown to end users.
One of the lowest hanging fruits in the world of connected-device security is changing user names and passwords from the manufacturer’s default settings. Several factors contribute to this reality, and both manufacturers and consumers are partly to blame. However, a bill in California aims to force change by, essentially, banning manufacturers of connected devices from using weak passwords or requiring manufacturers to require users to set new passwords before completing initial device set up.
The “Information privacy: connected devices” Senate Bill No. 327 states that beginning Jan. 1, 2020, manufacturers of connected devices must equip these devices with “a reasonable security feature or features that are appropriate to the nature and function of the device, appropriate to the information it may collect, contain, or transmit, and designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.” The bill, which was approved by California’s governor, Jerry Brown, on Sept. 28, 2018, will put some burden of responsibility on manufacturers to protect the devices they’re bringing to market, although it will still be up to consumers to update devices and ensure user names and passwords are unique.
SB-327 comes on the heels of the passage of consumer privacy legislation by the California State Legislature in June via Assembly Bill No. 375, which enacts the California Consumer Privacy Act of 2018. AB-375 states that beginning Jan. 1, 2020, consumers have the right to request a business to disclose the categories and specific pieces of personal information that it collects about the consumer, the categories of sources from which that information is collected, the business purposes for collecting or selling the information, and the categories of third parties with which the information is shared. The bill also provides an opt-out option for consumers who do not want businesses to sell their personal information to third parties, and it states businesses must not discriminate against consumers who opt out, for instance, by charging them a different price. The bill also aims to protect the data of minors under the age of 16 and requires businesses to consent to the deletion of consumers’ personal information upon request by individual consumers.
Such steps by the State of California are bringing the state to frontlines of the battle for consumer rights and data protection in a connected era. While both measures will have to wait until 2020 to be put into effect, the industry must consider the implications of California’s leadership on connected-device security and data collection both inside and outside of the state. As IoT (Internet of Things) adoption swells in both the consumer and enterprise sectors, the status quo of bringing connected products to market as quickly as possible will need to be re-evaluated in light of pushback from consumer advocate groups and government legislation like California’s that demands manufacturers take a bigger role in protecting devices from cybercriminals. Likewise, businesses that leverage consumers’ personal data must not wait to start rethinking how they collect information and respond to consumer requests for privacy and/or visibility.
Want to tweet about this article? Use hashtags #IoT #M2M #cybersecurity #security #connectivity #data #privacy #legislation #bigdata #CaliforniaConsumerPrivacyAct AI #artificialintelligence #machinelearning