Addressing the Challenges of New Privacy Laws

Author Farbod H. Foomany, Ph.D., CISSP and Nathanael Mohammed

US State of California Senate Bill 327 Information Privacy: Connected Devices (SB 327) goes into effect January 2020. What does that mean for you? Even if your organization does not develop Internet of Things (IoT) devices, SB 327 is worth following. It is in a unique situation because of its scope and breadth, not only for privacy and security, but also for how privacy-based laws are enforced and regulated.

Think of it as representing new territory in privacy. We are now seeing the social responsibility lawmakers are taking on by legislating privacy and security requirements, and while no one can say that is a bad thing, how are lawmakers deciding what goes into these laws?

Moreover, when it comes to regulation, it is not clear how SB 327 will be enforced. It is not always evident what lawmakers intended with some of their stipulations. In fact, its guidance is to have organizations use “reasonable security features” to protect IoT devices. This means that only time will tell to what degree SB 327 will be regulated because there is no precedence for enforcing the law yet.

Where do we begin with addressing the vague requirements for providing Internet-connected devices with security and privacy controls? Without more information about how the law is intended to be enforced, we can only start with best practices such as:

  • The Open Web Application Security Project (OWASP) IoT Top 10
  • The UK Government's Code of Practice for Consumer IoT
  • The European Union Agency for Cybersecurity (ENISA) recommendations

Frameworks like these are a great place to start, but even with these privacy and security practices, the onus is on organizations to build their own secure development programs. Existing frameworks are helpful for building a taxonomy of security vulnerabilities, but this is not an easy task to undertake, and you will likely need your own team of security professionals if you want to do it yourself.

The importance of SB 327 has been unclear, and its social and industry impact remains to be seen. In an age where technology is moving faster than lawmakers can legislate it, a law with the capacity to extend beyond its jurisdiction could become the first of many that help shape the way we use the devices we rely on every day.

Read Nathanael Mohammed and Farbod Foomany's recent Journal article:

"Building Security Into IoT Devices," ISACA Journal, volume 6, 2019.