Go Back
Blog

IoT Security – The First Law

The rapid expansion of the Internet of Things (IoT) is projected to reach 75 billion connected devices by 2025. While automation simplifies daily life, the interlinked nature of these devices significantly increases the "attack surface," creating numerous backdoors for cybercriminals.

The rapid expansion of the Internet of Things (IoT) is projected to reach 75 billion connected devices by 2025. While automation simplifies daily life, the interlinked nature of these devices significantly increases the "attack surface," creating numerous backdoors for cybercriminals.

To address these risks, California enacted SB-327: Information Privacy: Connected Devices, the first law of its kind in the United States.

The California IoT Law (SB-327)

Introduced in 2018 and effective as of January 1, 2020, this law requires manufacturers and vendors of IoT devices to implement "reasonable security" measures. Specifically, a device must meet one of the following:

  • Unique Pre-assigned Password: The device comes with a password unique to that specific unit.
  • Forced Password Change: The user is prompted to create a new, unique password before the device can be used for the first time.

Key Definitions

  • The Producer: Any business entity that produces the device and markets it to the public, including third-party suppliers, distributors, and marketing agencies involved in the chain.
  • Connected Device: Any physical or virtual object connected directly or indirectly to the internet that possesses a unique IP or Bluetooth address.

Consequences of Non-Compliance

Unlike the GDPR or CCPA, SB-327 lacks a "private right of action." This means private entities (like law firms or individuals) cannot sue manufacturers for non-compliance. Enforcement is restricted to California government agencies, such as the Attorney General or District Attorneys.

Criticisms and Disadvantages

Despite being a landmark bill, experts and critics have identified several weaknesses:

  1. Vague Authentication: The law mandates passwords but provides no guidance on "strong" passwords. A user could theoretically use the word "password" as their login.
  2. Lack of Accountability: Proving manufacturer wrongdoing in court remains difficult, making it nearly impossible for consumers to recoup damages following a breach.
  3. Network Security Gaps: The law focuses on the device itself but ignores the security of the connections (encryption, protocols) between the device and related cloud services.
  4. Ambiguous Terminology: Terms like "reasonable" and "appropriate" are not defined with specific technical thresholds, leaving them open to wide interpretation.
  5. Single-Layer Security: The law only requires one layer of security (a password). Critics argue it should be updated to require Multifactor Authentication (MFA) and align with the Zero Trust Framework.

While flawed, SB-327 is considered a foundational step that sets the stage for future, more robust IoT legislation across the United States.

Sources:

Redefining how your business manages data risk.
Get Started
Mitigating enterprise data risk.
ResourcesBlogPodcastCase StudiesWhitepapers
ProductseDiscoveryDigital ForensicsData GovernancePlatform & Intelligence
IndustriesFinancial Services & InsuranceHealthcare & Life SciencesEnergy & UtilitiesGovernment & Public Sector
CompanyNews & PressCareersTrust CenterContact Us
© 2026 Exterro. All rights reserved
Trust CenterModern Slavery StatementPrivacy PolicyWebsite Terms of Use
Do Not Sell or Share My Personal Information