If You’re Not Ready for SB-327, Your Product May Have Missed the Market


Brad Ree
Chief Technology Officer, ioXt

Are you ready for SB-327? Do you even know what it is?

Whether you’re aware or not, IoT public policy is happening and changing fast. So fast that some manufacturers may not even know products they plan to launch in 2020 are already out of compliance.

In the US, in the absence of industry agreed-upon product security standards or federal regulations, each state has entered the void. Currently, SB-327 is California’s answer to minimum IoT security. The state bill, which goes into effect January 1, 2020, simply requires that each connected device sold in California have a unique password or a means to force new credentials once someone starts using the device. Is your next product line designed to do that? If not, you’ve already missed the market. And chances are, more security requirement “surprises” are already in the works. Which raises the question, “Who’s steering the IoT public policy ship, and are they thinking ahead about the industry and its consumers?”

Like other bills before it, SB-327 has good intentions. Unfortunately, it not only falls far short of providing IoT security, but adds to a growing problem. California’s bill, like others before it, sets the stage to regulate IoT security state by state—inviting each state to “improve” upon bills passed by the others and thereby putting industry on a path to conflicting regulations.

For example, Virginia offered bill HB-2793 in January after the state decided passwords alone aren’t enough to protect consumers. The bill introduces a password equation that requires the password for any device sold in Virginia to be at least 10-plus characters and have at least three of the following: at least one uppercase letter, at least one lowercase character, at least one digit and at least one special character. The issue is that another state could easily require a different equation, password length or password rotation time period. Thus, a company in Germany producing product in China with communication libraries from the US may have to create different loads for Virginia and Mississippi.

As users, we’ve all felt the pain when our favorite password variation doesn’t work for a website. Can you imagine how hard it will be for a smart light bulb to solve that problem?

Years ago, there was debate about whether government should regulate IoT security. Now, with the perspective gained and headaches posed by state bills like California’s and Virginia’s, the discussion has shifted to not if but what that regulation should be.

Several bills have been winding their way through Congress. Recently, many have been rewritten to require companies that sell connected devices to federal agencies to follow minimum cybersecurity standards. However, the revised bills would mandate that NIST work with industry to set these requirements. This a great way for companies in IoT-related fields to partner with technical representatives from government. Further, it allows for improvements to security requirements over time without Congress’s involvement.

What does this mean for those doing business in IoT? That it’s time to add your voice to the conversation. Again, IoT public policy is on the move—but not necessarily on the path that makes sense for everyone today or tomorrow. Get involved and help correct that by joining a community committed to harmonizing best security practices and arriving at testable standards. In other words, a group that is IoT industry coming together and leading the way to establish universal IoT security standards that benefit everyone.

The ioXt Alliance was created to provide a place for device manufacturers, technology vendors, technology alliances, standards organizations, and retailers to discuss and align on security standards independent of the underlying connectivity technology. These standards can be referenced by retailers when requesting products for their sales channels. Further, this group provides a means for industry to stand shoulder to shoulder and work with regulators to develop responsible and reasonable regulations to protect consumers—and to protect them equally across the entire US.

The world of IoT public policy is changing fast. Don’t get blindsided by a state bill like SB-327 or anything else that could delay, or even prevent, your product from hitting the market.

Help track and shape public policy that impacts your industry—and your bottom line. Join the alliance at www.ioxtalliance.org.