Stories
Slash Boxes
Comments

SoylentNews is people

posted by mrpg on Tuesday October 02 2018, @01:30AM   Printer-friendly
from the first-step dept.

California governor signs country's first IoT security law

California Gov. Jerry Brown has signed into law a broad cybersecurity bill governing Internet of Things devices, making the state the first in the nation to adopt such legislation.

Brown signed the bill, SB 327, on Friday. The law mandates that any maker of an Internet-connected, or "smart," device ensure the gadget has "reasonable" security features that "protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure."

In June, California passed a data-privacy law that some have called the country's toughest. It includes stopping the collection and sale of personal data upon request from consumers. The new IoT rule, however, has garnered mixed reviews.

Submitted via IRC for Bytram


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 1, Touché) by Anonymous Coward on Tuesday October 02 2018, @03:20AM (3 children)

    by Anonymous Coward on Tuesday October 02 2018, @03:20AM (#742625)

    Lawyers are going to tell me how to secure my shit.
    I guess I can retire and rest easy knowing that California officers of the court know better than I do when it comes to securing my stuff.

    Starting Score:    0  points
    Moderation   +1  
       Touché=1, Total=1
    Extra 'Touché' Modifier   0  

    Total Score:   1  
  • (Score: 3, Insightful) by MostCynical on Tuesday October 02 2018, @03:48AM (2 children)

    by MostCynical (2589) on Tuesday October 02 2018, @03:48AM (#742630) Journal

    This is IoT, so the concept of "ownership" is still not settled (if it requires connection to a server you don't control, it is not yours, you are merely renting)

    The lawyers don't get to decide anything about how you do your security.

    The judges will make decisions based on evidence of problems with implementations which caused loss or harm.

    Sometimes, they may get to a "minimum expectation", as with explody fuel tanks in cars (nothing said "must be made of x, or must have double walls, but did say "should not go boom")
    Good luck with all the IoT things made in China, India, Indonesia...

    --
    "I guess once you start doubting, there's no end to it." -Batou, Ghost in the Shell: Stand Alone Complex
    • (Score: 4, Insightful) by qzm on Tuesday October 02 2018, @04:04AM (1 child)

      by qzm (3260) on Tuesday October 02 2018, @04:04AM (#742635)

      So.. Tell me how that works when the CPU you use end up having a fault, or the commonly used library you are using had a fault, or your compiler, etc, etc.

      When exactly will they also apply the same law to computers? Phones? No, I thought not....

      • (Score: 0) by Anonymous Coward on Thursday October 04 2018, @01:09PM

        by Anonymous Coward on Thursday October 04 2018, @01:09PM (#744050)

        Usually, if you are doing "industry standard practices" you will be ok. Using OpenSSL, and heartbleed hits, you should be fine legally, as long as you patch in a reasonable time.

        Rolling your own crypto package and you store the everything as plain text that can be accessed without authorization? Maybe not so ok.