EXECUTIVE SUMMARY:
While the UK’s GDPR regulations have taken the world by storm, California has been focusing on its own version of consumer internet protection. On September 28, the golden state passed the nation’s first internet of things (IoT) cybersecurity law, dubbed SB-327 Information privacy: connected devices. The new legislation will no longer allow manufacturers to set their devices to weak passwords such as ‘admin’ and ‘password,’ BBC reports.
Manufacturers of devices such as webcams and routers sometimes set their devices to simple and common passwords because it is easier for them to do so. However, this comes at a cost to the consumer who is at risk of being hacked since many consumers don’t change the default password.
The bill, which goes into effect at the start of 2020, will require that each device come with a unique, pre-programmed password or have a start-up process that allows a first-time user to create a strong password.
SB-327 is just one of several pieces of legislation that have surfaced to protect consumers. For instance, the SEC has just, as The New York Times referred to it, “dusted off” a five-year-old piece of legislation that has never been used until now. Known as the “Identity Theft Red Flags Rule,” it was enacted to require investment firms to take measures to prevent identity theft. In addition, the rule mandates that firms’ boards of directors or senior leadership administer the program. The unlucky first firm to be censured with the the identity theft rule is Voya Financial Services, for allowing hackers to access social security numbers, account balances, and other client investment details in a 2016 cyberattack.
In yet another example, The Washington Post recently reported that Silicon Valley congressman Ro Khanna (D-Calif.) is working to pass an Internet Bill of Rights, which consists of 10 principles that would protect consumers from the effects of data breaches and the misuse of their personal information on the internet. No doubt the recent news that Google+ exposed user data, and delayed disclosing the information out of fear of repercussion, will stoke the fire already burning under this proposed legislation.
But what separates SB-327 from the others is that it’s the first attempt to hold manufacturers responsible for their devices. And while some are hailing the new IoT law as a step in the right direction, it has also been criticized for not going far enough. As The Verge reports, some are concerned that the law errs by “focusing on adding ‘good’ features instead of removing bad ones that open devices up to attacks.” Kieren McCarthy of The Register believes that the real problem is not so much weak passwords as devices that can’t be updated.
Nonetheless, BBC notes that there have been numerous instances of cyberattacks that have exploited default and easy-to-guess passwords. “In late 2016, Twitter, Spotify, and Reddit were among sites taken offline by an attack that took advantage of poor passwords on lots of net-connected gadgets including webcams and other so-called smart home hardware.”
Regardless of the strength of the legislation, it’s possible that one of the positive effects will be to at least raise awareness of good cybersecurity hygiene on both sides of the equation—those making the devices, and those using them.
Get the full story at BBC.