California to Regulate Security of IoT Devices

Existing legislation in California already requires businesses that own, license, or maintain personal information about any resident to implement and maintain reasonable security procedures and practices appropriate to the nature of the information.

California Senate Bill 327 (SB-327 Information privacy: connected devices) is the first of its kind in the United States. It aims to establish basic security rules for the collection and processing of personal information from connected devices.

The law also applies to connected vehicles, including most passenger cars sold today. It has been demonstrated that, without proper protection, a connected car can become a severe security risk. For instance, an attacker might use the vehicle's connectivity to gain control of its systems. Here, "reasonable" security implies a need to avoid this possibility. Where connected vehicles are concerned, the biggest threat is not data theft, but the security of the vehicle and its passengers.