California governor signs country's first IoT security law
California Gov. Jerry Brown has signed into law a broad cybersecurity bill governing Internet of Things devices, making the state the first in the nation to adopt such legislation.
Brown signed the bill, SB 327, on Friday. The law mandates that any maker of an Internet-connected, or "smart," device ensure the gadget has "reasonable" security features that "protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure."
In June, California passed a data-privacy law that some have called the country's toughest. It includes stopping the collection and sale of personal data upon request from consumers. The new IoT rule, however, has garnered mixed reviews.
Submitted via IRC for Bytram
(Score: 1, Touché) by Anonymous Coward on Tuesday October 02 2018, @03:20AM (3 children)
Lawyers are going to tell me how to secure my shit.
I guess I can retire and rest easy knowing that California officers of the court know better than I do when it comes to securing my stuff.
(Score: 3, Insightful) by MostCynical on Tuesday October 02 2018, @03:48AM (2 children)
This is IoT, so the concept of "ownership" is still not settled (if it requires connection to a server you don't control, it is not yours, you are merely renting)
The lawyers don't get to decide anything about how you do your security.
The judges will make decisions based on evidence of problems with implementations which caused loss or harm.
Sometimes, they may get to a "minimum expectation", as with explody fuel tanks in cars (nothing said "must be made of x, or must have double walls, but did say "should not go boom")
Good luck with all the IoT things made in China, India, Indonesia...
"I guess once you start doubting, there's no end to it." -Batou, Ghost in the Shell: Stand Alone Complex
(Score: 4, Insightful) by qzm on Tuesday October 02 2018, @04:04AM (1 child)
So.. Tell me how that works when the CPU you use end up having a fault, or the commonly used library you are using had a fault, or your compiler, etc, etc.
When exactly will they also apply the same law to computers? Phones? No, I thought not....
(Score: 0) by Anonymous Coward on Thursday October 04 2018, @01:09PM
Usually, if you are doing "industry standard practices" you will be ok. Using OpenSSL, and heartbleed hits, you should be fine legally, as long as you patch in a reasonable time.
Rolling your own crypto package and you store the everything as plain text that can be accessed without authorization? Maybe not so ok.