California Passes Nation’s First Cybersecurity Law Addressing Internet of Things

Scott Repasky
Written by
Last update:

California has become the first state to pass a law that addresses cybersecurity and privacy for Internet-connected devices, according to a statement yesterday from the office of the state attorney general.

The law, SB-327, had its final assembly vote Wednesday and was sent to Gov. Jerry Brown for his expected signature, according to the statement.

It also explicitly deals with the human element in security rather than focusing on technical causes. For example, SB-327 now requires companies to disclose how they will collect information from a device, whether data will be sold to third parties or used for marketing or advertising, and to make a good-faith effort to protect that data.

In addition, the law requires that devices must have a reasonable security feature or feature that is "appropriate" for the device. In the event of a security breach, a reasonable security feature requires that the company notify individuals "without unreasonable delay" or within 72 hours if the security breach is likely to cause "substantial harm."

The law also requires that any company that offers a smartphone app for minors aged 12 years or younger must include a privacy policy on the app developer's website.

Under SB-327, if data from any intentionally installed software is collected through a device, then the device's owner must be informed about what information will be collected and how it will be used.