In 1999, renowned inventor and self-described futurist Ray Kurzweil—now director of engineering at Google—published “The Age of Spiritual Machines,” in which he proposed a formula for calculating the rate of change in evolutionary systems. Dubbed “The Law of Accelerating Returns,” Kurzweil’s formula holds that technological progress will occur at an exponential rate. Viewed in relation to human history, this means in the 21st century “we won’t experience 100 years of progress”; instead, the growth rate “will be more like 20,000 years of progress.”
Over the past two decades, Kurzweil’s model of technological progress has been validated. Today, the world is home to more internet-connected devices (10 billion) than people. Dubbed the “Internet of Things” (IoT), this interconnected network of digital devices has revolutionized how we interact with the world around us. From driverless cars, to personal drones, to smart homes, the degree to which the IoT has affected contemporary society is nothing short of profound.
Only recently, however, have states started to grapple with the myriad security and privacy concerns implicated by the IoT. In September, California became the first state to pass legislation designed to protect the privacy and security of IoT users from the ever-increasing threat of hacking. But the impact (and adequacy) of this legislation, as well as the future of IoT legislation across the country, remains unknown.
Hack the Planet
As defined by the Federal Trade Commission (FTC), the IoT encompasses “devices or sensors—other than computers, smartphones or tablets—that connect, communicate or transmit information with or between each other through the Internet.” Common examples include wearable devices (like Fitbit and the Apple Watch); smart-home devices (like Google’s Nest Thermostat and the Kohler Verdera Smart Mirror); and vehicle enhancements (like AT&T’s Connected Car).
Like personal computers (PCs) and smartphones, IoT devices collect, store and transmit users’ personal data. But unlike a PC or smartphone, IoT products tend to be sold without antivirus software, and do not require users to update their login and password information. As a result, the IoT landscape is considered a goldmine for cybercriminals and hackers.
Take, for example, a baby monitor. Today, many parents monitor their children by placing Wi-Fi video monitors in their bedrooms. But as NPR reported earlier this year, these baby monitors often contain several “easy-to-exploit vulnerabilities” that not only allow hackers to peer inside young children’s bedrooms, but also “gain access to a home’s Wi-Fi network to get information off computers, possibly for financial gain.”
Other IoT-connected products are equally susceptible to hacking. Fiat Chrysler was forced to recall 1.4 million cars in 2015 after a team of cybersecurity researchers hacked a Jeep Cherokee’s infotainment system, took control of the steering wheel, disabled the breaks and shut down the engine. The health care industry experienced a similar scare a year later, when the FDA confirmed St. Jude Medical was using implantable cardiac devices (e.g., pacemakers) that possessed “vulnerabilities that could allow a hacker to … deplete the battery or administer incorrect pacing or shocks.” And the St. Jude case was followed by the widely reported Mirai botnet attack in October 2016, when attackers hijacked IoT devices around the globe by exploiting a vulnerability in webcams and digital recorders, and then used those devices as a botnet to flood the networking company Dyn with malicious traffic. Because of this attack numerous popular websites—including Twitter, Netflix and Reddit—were forced to temporarily shut down.
California Dreamin’ [of Better Security]
To combat the ever-increasing threat of IoT hacking, California recently became the first state to mandate the implementation of security features for IoT devices. The law, which goes into effect in January 2020, covers all internet-connected devices made or sold in California. It specifically requires manufacturers to equip devices with “reasonable security” features designed to protect the device from “unauthorized access, destruction, use, modification or disclosure.” Compliance can be accomplished by preprogramming the device with a unique password or requiring users to generate a new password before accessing the device for the first time.
The bill has garnered approval from numerous privacy rights organizations and consumer groups, including the Electronic Frontier Foundation and Privacy Rights Clearinghouse. Experts have lauded the bill’s user-specific password requirement as an important step in protecting users’ privacy, as default passwords—e.g., “admin” or “1234”—are easily searchable on Google, and consumers often fail to change default passwords after buying an IoT device. By the same token, the law’s use of the term “reasonable” offers an important degree of flexibility—allowing it to be broad enough to cover future technological advancements.
But the bill has received criticism as well. According to security researcher Robert Graham, one of the law’s major shortcomings is its failure to protect IoT devices from potentially infecting each other. For example, Graham notes that the law could have offered more protection by requiring IoT devices to be sold in a default “isolation” mode, which “prevents infected laptops/desktops (which are much more under threat than IoT) from spreading to IoT.”
Importantly, California’s IoT law, which does not contain a private right of action, is enforceable only by California’s attorney general or city attorney, a county counsel or a district attorney. Nevertheless, according to numerous commentators the plaintiffs bar is expected “to ramp up its activity in this space in the near future, to seize on the new security requirements if there’s a breach or other major security incident that allegedly lacked proper password security.”
California’s law may spur additional legislation as well. In June 2018, the U.S. House of Representatives’ Committee on Energy and Commerce introduced a bill titled the State of Modern Application, Research, and Trends of IoT Act—otherwise known as the SMART IoT Act—that would empower the Secretary of Commerce to conduct a study of IoT devices, determine federal agency jurisdiction over such devices, provide regulations and resources, and report back to the House Committee within one year. This legislation came on the heels of the Internet of Things Cybersecurity Improvement Act, which was introduced in the Senate in August 2017. Although these bills have yet to be passed, California’s initiative may spark a renewed interest in further regulating IoT devices on a national scale.
California’s IoT law is sure to have a significant impact on the IoT landscape in the coming decade. As technology continues to progress, and as resultant security concerns emerge, California is posed to play a starring role in regulating the IoT industry. But whether this cast of characters will grow through additional state or federal legislation is unknown. Either way, the IoT show will go on.
Jeffrey N. Rosenthal is a partner in Blank Rome’s Philadelphia office. He concentrates his complex corporate litigation practice on consumer and privacy class action defense, and regularly publishes and presents on class action trends, attorney ethics and social media law. Contact him at Rosenthal-j@BlankRome.com.
Thomas F. Brier, Jr. is an associate in the firm’s Philadelphia office. He concentrates his litigation practice on a variety of criminal and civil litigation matters, and has written extensively on issues pertaining to data privacy and cybersecurity. Contact him at TBrier@BlankRome.com.