On September 28, California’s SB 327 was signed by the governor, making it the first such law in the U.S. mandating internet of things (IoT) device manufacturing security provisions (a similar, though more extensive, federal bill known as the Internet of Things (IoT) Cybersecurity Improvement Act of 2017 still sits with the Committee on Homeland Security and Governmental Affairs, and I have not seen any recent activity on its development).
The new California law states that connected devices must be manufactured with “reasonable” security features. This means IoT device makers may need to start providing unique preprogrammed device passwords (instead of default passwords) or embedding functions that force users to authenticate before access is granted to the device for the first time.
Existing California law already compels businesses to implement and maintain reasonable cybersecurity procedures appropriate to the nature of the collected data, but the new legislation applies specifically to “things.” I’ve seen critics of the new law point out that the requirements are vague, neglect encryption and don’t address underlying bad practices that are fueling the problem.
But pretty much everyone agrees there is a problem.
Click the source link to read the rest of the article.