California has a history of creating legislation that creates a ripple effect that affects consumers in other states. While the laws only affect California, they often push companies into adopting the rules broadly – for example, California’s strict auto emissions standards have been adopted in 16 other states since 2004. “What California does definitely impacts the national conversation,” says state Senator Scott Wiener. As the home of some of the biggest names in technology, it’s no surprise that California’s legislators are especially concerned about cybersecurity. In 2018 alone, California has passed several laws that they hope will inspire other states – and ultimately, Congress – to passing cybersecurity laws that better address the issues of our time. However, these California cybersecurity laws have also attracted criticism from tech companies, cybersecurity experts, and the Federal Government. These California cybersecurity laws may come to affect you, which is why we’ve created this guide.
Perhaps the most controversial law on this list, this law restored net neutrality within the state of California, after the Federal Communications Commission (FCC) repealed net neutrality nationwide. Hours after the bill was signed into law in September 2018, the Department of Justice announced that it would file a lawsuit against the state for “attempting to subvert the Federal Government’s deregulatory approach” to the internet.
First, it forbids ISPs from increasing or decreasing speeds, demanding paid access to specific sites or apps, or blocking specific sites or apps.
Second, it outlaws “zero rating,” the practice by which an ISP exempts access to a site or app from counting against a subscriber’s data cap. Many ISPs own media companies, and could use zero rating to encourage the use of apps or sites they own, and discourage use of ones they don’t own.
…it may be illegal. “Under the Constitution, states do not regulate interstate commerce—the federal government does,” Attorney General Jeff Sessions said in a statement about the Department of Justice’s lawsuit. The FCC also agrees that states can’t create their own net neutrality laws, however, it’s unclear whether or not the FCC has the authority to enforce this statement.
Signed into law on June 28, 2018, the California Consumer Privacy Act has been compared to GDPR, the strict set of data privacy laws implemented in the European Union in May 2018.
Similar to GDPR, California’s privacy law requires organizations to obtain consent from individuals to collect and use their data, and disclose how the data is used. It grants consumers the right to request that a business disclose the categories and specific pieces of information it collects, the sources of that information, the reasons why the business collects and/or sells that information, and the categories of the third parties that info is shared with. This law goes into effect on January 1, 2020.
…the act was put together and passed quickly with important terms left poorly defined or undefined. “The lack of precise and clear definitions in this legislation will make compliance difficult for companies looking to do the right thing,” Robert Callahan, vice president of state government affairs at the Internet Association (which represents companies like Facebook and Google).
… it could encourage companies to charge customers for data privacy. Under the law, companies cannot offer a lower level of service to customers who opt out of having their data sold to third parties, but they could charge those customers more. “I believe this path to pay for privacy is a dangerous and slippery slope,” said California Senator Hannah-Beth Jackson (who, despite this, supported the bill).
In August 2018, California became the first state with a law requiring security for IoT (Internet of Things) devices. These devices commonly contain vulnerabilities and other security issues, and are a common target for cyberattacks.
When the law goes into effect on January 1, 2020, manufacturers will be required to include “reasonable” security features for IoT devices that would prevent unauthorized access, modification, or data exposure. It also discourages the use of generic passwords that are easy for cybercriminals to guess. If the device can be accessed outside a local area network with a password, the device needs to either come with a unique password, or force users to set their own password when they use the device the first time.
…the law proposes fixes that don’t address the real issues. “It’s based on the misconception of adding security features,” says security researcher Robert Graham. “The point is not to add ‘security features’ but to remove ‘insecure features.’”
…it doesn’t go far enough. “Moving away from default passwords is a wise choice, but password hygiene won’t prevent other types of attacks,” says Joe Lea, vice president of product at IoT security firm Armis. “There are other ways to attack these devices and exploit them.”
…the language is unclear and difficult to enforce. “This legislation requires manufacturers to include ‘reasonable’ security features, like unique passwords, but the language is intentionally vague and undefined because what is ‘reasonable’ varies by device,” says Jessica Ortega, Website Security Analyst at SiteLock. “Additionally, the language does not address the different types of security or authentication that are not considered passwords, like PINs or facial recognition, creating a loophole. For example, devices could require 4-digit PIN instead of a password and still be considered compliant.”
California’s cybersecurity laws are forward-thinking, but often criticized for going too far – or not far enough. The years to come will prove interesting as these laws take effect, or are challenged by government bodies and manufacturers. Keep an eye on the headlines to see if these laws come to affect you, and be sure to follow SiteLock on Twitter for the latest cybersecurity news!