If Left to Our Own Devices… What the New CCPA Regulations Mean to Risk Management

These days everything’s connected through the Internet, that constantly growing and evolving massive communications network. More and more devices are being connected (75 billion or so by 2025), forming a complex interrelated platform or ecosystem commonly referred to as the Internet of Things (IoT). This platform offers consumers convenience, ease of use, comprehensive information management and, unfortunately, unknown security risks. Every consumer wireless device—every smart appliance, every wearable, every medical implant, every door lock and thermostat, every self-driving car, every surveillance camera, every seemingly eavesdropping personal assistant —transmits data, very sensitive data at that, in order to keep everything working. Some of the time.

Meanwhile businesses are leveraging IoT to foster greater efficiency and productivity, gain real-time information and improve the customer experience by providing innovative solutions and devices. These solutions collect vast amounts of data across their enterprise and the third parties they may employ to support and deliver those services. A good deal of this information is generated by those third parties such as contractors and partners. This leaves business cybersecurity teams markedly more challenged and vulnerable to cyberattacks and data breaches through a vast IoT landscape that may provide open entry points that have either gone unnoticed, or worse, ignored.

State lawmakers have begun to enact sweeping security legislation to address these issues in lieu of slow action at the federal level. In June 2018 California became the first state to pass comprehensive consumer privacy regulations—the California Consumer Privacy Act (CCPA)—which will take effect in January 2020. This legislation broadens the definition of “personal information,” providing consumers with significantly more control over how their information is used, including how businesses collect, share and sell your information. However, it did not tackle IoT security specifically.

California doubled down on consumer privacy laws with the Security of Connected Devices Act (SB-327). This additional law will institute strict new regulations pertaining to connected devices, increase oversight on IoT security, and cover the data (beyond personal data) that IoT devices collect, store and transmit, thus expanding upon consumer privacy features contained in the CCPA legislation.

SB-327 will require manufacturers of connected devices to equip those devices, depending on their function, with “reasonable” security features that protect the device as well as “any information it may contain from unauthorized access, destruction, use, modification, or disclosure.” For example, users of new devices would be required to create a unique password before using the device for the first time, removing the default password problem and ensuring a stronger layer of password protection. Overall, consumers of these devices should feel a greater sense of control over their personal information.

“The net of this bill is it basically requires people to understand IoT devices,” said Charlie Miller, Senior Advisor at The Santa Fe Group. “It’s all good stuff and essential to have in place but one of the challenges will be how companies are required to monitor and demonstrate compliance with the law. The problem is no longer just exposure of one’s personal information but reducing exposure to many things, including one’s personal safety.”

Consider the fact that as more employees telecommute—working from home, airports or anywhere they can access the internet—they are potentially compromising their security. Many companies have been focused more on managing and securing internal workplace IoT devices as opposed to those in use by external third parties.

This lack of regulation, oversight and governance has slowed risk management efforts over IoT. As Miller notes, “Our research shows that there continues to be limited assignment of accountability and limited success in maintaining inventories of IoT devices within their organizations and their third party suppliers, which is essential to ensure they know what functions the devices perform, what security features are present, what data is collected and how it is secured and transmitted.”

The current threat landscape is real and expanding rapidly, consisting of countless avenues for malicious attacks: malware, ransomware, cryptojacking (mining sensitive data across devices for cryptocurrencies), phishing (mostly through email click-throughs), denial of service (DoS) attacks and botnets.

So, what can third party risk managers do to address these critical issues and mitigate risk? One major action would be to understand who in your organization is accountable for IoT. Develop a plan to inventory IoT devices, understand the risks they pose to your organization, ensure your internal and third party controls are assessed/validated to mitigate those risks, report results to your risk committee and include IoT risk in your education/awareness training and perform at all levels of the organization.

Additionally, IoT device manufacturers who wait or fail to comply with this law and implement these requirements related to consumer security and privacy measures may face financial penalties and fall behind those manufacturers who do comply.

At the very least, “This law will get people to pay attention to the risks posed by IoT devices, and given that this law is still somewhat open-ended, we should expect to see additional requirements,” Miller said.