Adding an “S” to IoT: New California Law Requires IoT Security

October 8, 2018
Legal Update

California has enacted SB327, which will regulate certain internet-connected devices of the so-called Internet of Things (IoT). The law takes effect on January 1, 2020. 

The law requires impacted manufacturers to implement specified security measures. Impacted manufacturers include anyone who manufactures internet-connected devices, or who outsources the manufacturing of internet-connected devices, that are sold or offered for sale in California. The law does not apply to persons or entities that enter contracts to purchase internet-connected devices, even if those devices are then rebranded for the purchaser.

New Security Requirements Imposed on Device Manufacturers

SB327 requires that covered parties equip devices with reasonable security that is

In some cases, a manufacturer-provided password that is unique to each device may satisfy the “reasonable security” requirement. It has been a common manufacturer practice to provide devices with shared default passwords, meaning that the device can be easily accessed after installation if a new password is not set by the end-user.

Exclusions from SB327

Device manufacturers will not be required to meet the requirements of the law in all situations. Importantly, manufacturers have no duty to secure unaffiliated software programs that users may choose to install on a connected device. In addition, there are exceptions relating to, among other things, law enforcement activities, health-care providers, devices regulated by federal law or regulations, and firmware updates that the manufacturer may wish to install.


The law has no private right of action. Instead, the Attorney General, city attorney, county counsel, or a district attorney shall have the right to enforce.


California continues to lead the nation in enacting privacy and security laws. This IoT law comes on the heels of the recently enacted California Consumer Privacy Act (CCPA), which also goes into effect on January 1, 2020. Like the CCPA, this law has an extraterritorial reach—impacting businesses located inside and outside of California. In this case, so long as a manufacturer sells internet-connected devices in California, the manufacturer will be required to meet the law's requirements unless an exclusion applies.

For more information please contact Doug Gastright, Melissa Kern, Jane Shea or any attorney in Frost Brown Todd's Privacy and Information Security Team.