The California State Legislature recently completed a data privacy/data security two-step by passing two new laws with significant third party risk management implications for a broad collection of companies.
In late September, California enacted what some are referring to as the country’s first “Internet of Things (IoT) security law.” The new law requires makers of connected devices (those assigned an IP or Bluetooth address) to have in place “reasonable” security features. This vague qualifier is (somewhat) fleshed out in the law’s description of security feature that are:
The law states that its requirements are not enforceable by a private right of action, which would prevent class action lawsuits from arising following a major data breach of a connected device. However, the law is enforceable by the California Attorney General as well as government attorneys at the city, county and district level. “As a result, a manufacturer of a device that turns out to have an exploitable security issue may face legal jeopardy on many fronts….” according to a Davis Wright Tremain LLP bulletin on the new law.
These requirements are currently scheduled to take effect Jan. 1, 2020 – the same day that the state begins enforcing the sweeping California Consumer Privacy Act of 2018 (CCPA). Approved – swiftly – in June, the CCPA is notable for a number of reasons including:
It’s also notable that the law’s language allows for it to be amended. Any changes that do occur appear likely to be made to clarify compliance requirements. Given that a PwC survey finds that only 52 percent of U.S. companies that will need to comply with the CCPA expect to be compliant by Jan. 2020, organizations should immediately begin assessing and addressing their compliance needs.
Please register or log in to complete the checkout process. You will be redirected to the checkout page after logging in.
By downloading this software, you acknowledge that you may be invited to provide usability feedback to help improve its functionality. Feedback does not guarantee changes or compensation.