Security by design: California’s new IoT security laws

On Sept. 28, California became the first U.S. state to specifically regulate the security of connected devices, otherwise known as the Internet of Things or IoT devices.

The new laws aim at increasing the security of IoT devices, whose global use is growing rapidly. Statista has estimated that, in 2018, there are more than 23 billion IoT devices currently in use and this number is expected to grow to more than 26 billion in 2019 (Gartner has estimated 20 billion devices will be online by 2020).

In Canada, 28 million IoT units were in use in 2013 and this number has risen to 114 million in 2018. Unfortunately, many IoT devices remain dangerously unprotected from cybercriminals and vulnerable to malware as they enter the market with either no passwords, default passwords (including 123, admin or even worse, password) or otherwise contain hard-coded passwords that cannot be modified or updated. 

These concerns are not merely speculative. Beginning in Sept. 2016, massive distributed denial of service (DDoS) attacks took down various U.S. internet infrastructure companies/DNS providers, leaving much of the internet inaccessible on the U.S. east coast and incapacitating popular websites (including Airbnb, Amazon, GitHub, HBO, Netflix, PayPal, Reddit, the New York Times and Twitter). 

To read Lisa Lifshtiz's complete IT Girl column, visit Canadian Lawyer Online.