IoT regulation a step closer

05 December 2018

Tighter security requirements for connected devices are on the cards, as California passes IoT cyber security legislation and the UK launches its first cyber security code for smart devices.

Concerns over the cyber security for the Internet of Things (IoT) have persisted for a number of years. From medical devices to connected toys and domestic appliances, weak security and vulnerabilities (a 2017 Ponemon Institute study found that 80% of IoT apps had security vulnerabilities) have led to a number of data breaches in recent years.

Earlier this year a casino suffered a data breach, after hackers used an internet connected fish tank to access the network and steal customers’ personal data. On a larger scale, the 2016 Mirai botnet distributed denial-of-service (DDOS) attack on internet infrastructure company Dyn used an army of over 100,000 compromised webcams, routers and other IoT devices.


In late September, California Governor Jerry Brown signed an IoT cyber security law, reportedly the first such state law in the US. Bill SB-327, due to take effect on 1 January 2020, will require IoT manufacturers to ensure their products have “reasonable security features” to protect sensitive customer information from unauthorised access.

The requirement will apply to all “connected devices” sold or offered for sale in California that are capable of connecting to the internet and have an IP or Bluetooth address, and it is not limited to devices that collect personal information. Certain devices are exempt from the law including; medical devices and devices regulated by HIPAA or subject to federal security requirements and regulations.

According to legal commentators, the law is broad in its scope and would apply to almost all types of IoT devices including; smart phones, wearable devices, security cameras and toys. However, the law does offer a definition and guidance on what would be considered reasonable security features. In particular, the law provides guidance on authentication.

IoT devices use various forms of authentication to ensure that an exchange of data is only possible between authorised parties. However, many IoT devices are supplied with default usernames and passwords that are easily circumvented, especially as many users often fail to update their passwords. The guidance proposes that a “reasonable security” feature could include a unique pre-programmed password, or a requirement for a user to create a password before initial access is granted.


There have been calls elsewhere for tighter controls on IoT cyber security. A number of bills have been proposed in the US that could pave the way for federal IoT cyber security rules in the future, including the Internet of Things Cybersecurity Improvement Act of 2017. In Europe, the proposed Cybersecurity Act could become the basis of future IoT security oversight. The draft regulation plans to introduce a voluntary certification regime, which would grade the cyber security of connected devices.

A number of industry and international bodies are also developing codes and security standards for the IoT. Industry body IoT Alliance Australia (IoTAA) released its IoT Guidelines in 2017 to promote a security by design approach to IoT development, as well as an IoT data good practices guide. In September, the US National Institute of Standards and Technology (NIST) published consultation papers on IoT technical concerns and recommendations and IoT cyber security and privacy.


In October, the UK government launched a voluntary Code of Practice to help manufacturers, application developers and retailers boost the security of internet-connected devices. Tech companies, including HP and Centrica Hive, have already signed up to the
Code, which the government claims is a world first.

Developed by the Department for Digital, Culture, Media and Sport (DCMS), in conjunction with the National Cyber Security Centre (NCSC), the Code sets out practical steps for IoT manufacturers to improve the security of consumer IoT products and associated services. These include; ending the use of default passwords, timely software updates, developing a vulnerability disclosure policy and encrypting sensitive data; as well as incorporating cyber security into the design of software and hardware to minimise attack surfaces and vulnerabilities.

The Code also advises that devices should provide consumers with “clear and transparent information” about how their data is being used, by whom, and for what purposes, in accordance with data protection law, such as the General Data Protection Regulation (GDPR).

Download cyber decoder

For further information, please contact Sarah Stephens, Head of Cyber, Content and New Technology Risks on