Amended IN Assembly April 23, 2018 CALIFORNIA LEGISLATURE 20172018 REGULAR SESSION Assembly Bill No. 1906Introduced by Assembly Member IrwinJanuary 22, 2018 An act to add Chapter 36 (commencing with Section 22948.30) to Division 8 of the Business and Professions Code, relating to business regulations. LEGISLATIVE COUNSEL'S DIGESTAB 1906, as amended, Irwin. Business regulations: information privacy: connected devices: security features.Existing law requires a device that includes an integrated and enabled wireless access point and that is sold as new in California for use in a small office, home office, or residential setting to be manufactured to include certain security warnings or advisories about protection against unauthorized access. Existing law also prohibits a person or entity from providing for the operation of a voice recognition feature in California without prominently informing, during initial setup or installation of a connected television, either the user or person designated by the user to perform the initial setup or installation of the connected television.This bill would require a manufacturer that sells or offers to sell a connected device in California to equip the connected device, as defined, with a reasonable security features feature or features appropriate to the nature and function of the device and the information that it may collect, contain, or transmit, that is designed to protect the device and any information contained within it from unauthorized remote access or use. The bill would require the equipped security features for any connected device to include either a security feature that requires a preprogrammed password for access that is unique to each device manufactured or sold, or a security feature that requires the user to create a new password before access is granted for the first time. provide that equipping a connected device with a means for authentication outside a local area network is deemed a reasonable security feature, if the preprogrammed password is unique to each device manufactured or the device contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time.Digest Key Vote: MAJORITY Appropriation: NO Fiscal Committee: NO Local Program: NO Bill TextThe people of the State of California do enact as follows:SECTION 1. Chapter 36 (commencing with Section 22948.30) is added to Division 8 of the Business and Professions Code, to read: CHAPTER 36. Internet of Things Botnet Prevention Act22948.30. For purposes of this chapter, connected device chapter:(a) Authentication means a method of verifying the authority of a user, process, or device to access resources in an information system.(b) Connected device means any device, sensor, or other physical object that is capable of connecting to the Internet, directly or indirectly, or to another connected device.(c) Manufacturer means the person who (1) physically manufactures, and (2) sells or offers to sell a connected device in California.(d) Security feature means a feature of a device designed to provide security for that device.22948.31. (a) A manufacturer that sells or offers to sell a connected device in California shall equip the connected device with a reasonable security feature or features appropriate to the nature or function of the device and the information that it may collect, contain, or transmit, that that is designed to protect the device and any information contained therein from unauthorized remote access or use.(b)The equipped security features for any connected devices shall include either of the following:(1)A security feature that requires a preprogrammed(b) Equipping a connected device with a means for authentication outside a local area network shall be deemed a reasonable security feature under subdivision (a) if either:(1) The preprogrammed password for access that is unique to each device manufactured or sold. manufactured.(2) A The device contains a security feature that requires a user to create generate a new password means of authentication before access is granted to the device for the first time.(c) This chapter shall not be construed to impose any duty upon the manufacturer of a connected device related to unauthorized software or applications that violate the terms of use of a connected device.(d) This chapter shall not apply to any connected device whose functionality is subject to security requirements under federal law, regulations, or guidance promulgated by a federal agency pursuant to its regulatory enforcement authority.(e) This chapter shall not be construed to provide a basis for a private right of action.
Amended IN Assembly April 23, 2018 CALIFORNIA LEGISLATURE 20172018 REGULAR SESSION Assembly Bill No. 1906Introduced by Assembly Member IrwinJanuary 22, 2018 An act to add Chapter 36 (commencing with Section 22948.30) to Division 8 of the Business and Professions Code, relating to business regulations. LEGISLATIVE COUNSEL'S DIGESTAB 1906, as amended, Irwin. Business regulations: information privacy: connected devices: security features.Existing law requires a device that includes an integrated and enabled wireless access point and that is sold as new in California for use in a small office, home office, or residential setting to be manufactured to include certain security warnings or advisories about protection against unauthorized access. Existing law also prohibits a person or entity from providing for the operation of a voice recognition feature in California without prominently informing, during initial setup or installation of a connected television, either the user or person designated by the user to perform the initial setup or installation of the connected television.This bill would require a manufacturer that sells or offers to sell a connected device in California to equip the connected device, as defined, with a reasonable security features feature or features appropriate to the nature and function of the device and the information that it may collect, contain, or transmit, that is designed to protect the device and any information contained within it from unauthorized remote access or use. The bill would require the equipped security features for any connected device to include either a security feature that requires a preprogrammed password for access that is unique to each device manufactured or sold, or a security feature that requires the user to create a new password before access is granted for the first time. provide that equipping a connected device with a means for authentication outside a local area network is deemed a reasonable security feature, if the preprogrammed password is unique to each device manufactured or the device contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time.Digest Key Vote: MAJORITY Appropriation: NO Fiscal Committee: NO Local Program: NO
Amended IN Assembly April 23, 2018
Amended IN Assembly April 23, 2018
CALIFORNIA LEGISLATURE 20172018 REGULAR SESSION
Assembly Bill No. 1906
Introduced by Assembly Member IrwinJanuary 22, 2018
Introduced by Assembly Member Irwin
January 22, 2018
An act to add Chapter 36 (commencing with Section 22948.30) to Division 8 of the Business and Professions Code, relating to business regulations.
LEGISLATIVE COUNSEL'S DIGEST
## LEGISLATIVE COUNSEL'S DIGEST
AB 1906, as amended, Irwin. Business regulations: information privacy: connected devices: security features.
Existing law requires a device that includes an integrated and enabled wireless access point and that is sold as new in California for use in a small office, home office, or residential setting to be manufactured to include certain security warnings or advisories about protection against unauthorized access. Existing law also prohibits a person or entity from providing for the operation of a voice recognition feature in California without prominently informing, during initial setup or installation of a connected television, either the user or person designated by the user to perform the initial setup or installation of the connected television.This bill would require a manufacturer that sells or offers to sell a connected device in California to equip the connected device, as defined, with a reasonable security features feature or features appropriate to the nature and function of the device and the information that it may collect, contain, or transmit, that is designed to protect the device and any information contained within it from unauthorized remote access or use. The bill would require the equipped security features for any connected device to include either a security feature that requires a preprogrammed password for access that is unique to each device manufactured or sold, or a security feature that requires the user to create a new password before access is granted for the first time. provide that equipping a connected device with a means for authentication outside a local area network is deemed a reasonable security feature, if the preprogrammed password is unique to each device manufactured or the device contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time.
Existing law requires a device that includes an integrated and enabled wireless access point and that is sold as new in California for use in a small office, home office, or residential setting to be manufactured to include certain security warnings or advisories about protection against unauthorized access. Existing law also prohibits a person or entity from providing for the operation of a voice recognition feature in California without prominently informing, during initial setup or installation of a connected television, either the user or person designated by the user to perform the initial setup or installation of the connected television.
This bill would require a manufacturer that sells or offers to sell a connected device in California to equip the connected device, as defined, with a reasonable security features feature or features appropriate to the nature and function of the device and the information that it may collect, contain, or transmit, that is designed to protect the device and any information contained within it from unauthorized remote access or use. The bill would require the equipped security features for any connected device to include either a security feature that requires a preprogrammed password for access that is unique to each device manufactured or sold, or a security feature that requires the user to create a new password before access is granted for the first time. provide that equipping a connected device with a means for authentication outside a local area network is deemed a reasonable security feature, if the preprogrammed password is unique to each device manufactured or the device contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time.
## Digest Key
## Bill Text
The people of the State of California do enact as follows:SECTION 1. Chapter 36 (commencing with Section 22948.30) is added to Division 8 of the Business and Professions Code, to read: CHAPTER 36. Internet of Things Botnet Prevention Act22948.30. For purposes of this chapter, connected device chapter:(a) Authentication means a method of verifying the authority of a user, process, or device to access resources in an information system.(b) Connected device means any device, sensor, or other physical object that is capable of connecting to the Internet, directly or indirectly, or to another connected device.(c) Manufacturer means the person who (1) physically manufactures, and (2) sells or offers to sell a connected device in California.(d) Security feature means a feature of a device designed to provide security for that device.22948.31. (a) A manufacturer that sells or offers to sell a connected device in California shall equip the connected device with a reasonable security feature or features appropriate to the nature or function of the device and the information that it may collect, contain, or transmit, that that is designed to protect the device and any information contained therein from unauthorized remote access or use.(b)The equipped security features for any connected devices shall include either of the following:(1)A security feature that requires a preprogrammed(b) Equipping a connected device with a means for authentication outside a local area network shall be deemed a reasonable security feature under subdivision (a) if either:(1) The preprogrammed password for access that is unique to each device manufactured or sold. manufactured.(2) A The device contains a security feature that requires a user to create generate a new password means of authentication before access is granted to the device for the first time.(c) This chapter shall not be construed to impose any duty upon the manufacturer of a connected device related to unauthorized software or applications that violate the terms of use of a connected device.(d) This chapter shall not apply to any connected device whose functionality is subject to security requirements under federal law, regulations, or guidance promulgated by a federal agency pursuant to its regulatory enforcement authority.(e) This chapter shall not be construed to provide a basis for a private right of action.
The people of the State of California do enact as follows:
## The people of the State of California do enact as follows:
SECTION 1. Chapter 36 (commencing with Section 22948.30) is added to Division 8 of the Business and Professions Code, to read: CHAPTER 36. Internet of Things Botnet Prevention Act22948.30. For purposes of this chapter, connected device chapter:(a) Authentication means a method of verifying the authority of a user, process, or device to access resources in an information system.(b) Connected device means any device, sensor, or other physical object that is capable of connecting to the Internet, directly or indirectly, or to another connected device.(c) Manufacturer means the person who (1) physically manufactures, and (2) sells or offers to sell a connected device in California.(d) Security feature means a feature of a device designed to provide security for that device.22948.31. (a) A manufacturer that sells or offers to sell a connected device in California shall equip the connected device with a reasonable security feature or features appropriate to the nature or function of the device and the information that it may collect, contain, or transmit, that that is designed to protect the device and any information contained therein from unauthorized remote access or use.(b)The equipped security features for any connected devices shall include either of the following:(1)A security feature that requires a preprogrammed(b) Equipping a connected device with a means for authentication outside a local area network shall be deemed a reasonable security feature under subdivision (a) if either:(1) The preprogrammed password for access that is unique to each device manufactured or sold. manufactured.(2) A The device contains a security feature that requires a user to create generate a new password means of authentication before access is granted to the device for the first time.(c) This chapter shall not be construed to impose any duty upon the manufacturer of a connected device related to unauthorized software or applications that violate the terms of use of a connected device.(d) This chapter shall not apply to any connected device whose functionality is subject to security requirements under federal law, regulations, or guidance promulgated by a federal agency pursuant to its regulatory enforcement authority.(e) This chapter shall not be construed to provide a basis for a private right of action.
SECTION 1. Chapter 36 (commencing with Section 22948.30) is added to Division 8 of the Business and Professions Code, to read:
### SECTION 1.
CHAPTER 36. Internet of Things Botnet Prevention Act22948.30. For purposes of this chapter, connected device chapter:(a) Authentication means a method of verifying the authority of a user, process, or device to access resources in an information system.(b) Connected device means any device, sensor, or other physical object that is capable of connecting to the Internet, directly or indirectly, or to another connected device.(c) Manufacturer means the person who (1) physically manufactures, and (2) sells or offers to sell a connected device in California.(d) Security feature means a feature of a device designed to provide security for that device.22948.31. (a) A manufacturer that sells or offers to sell a connected device in California shall equip the connected device with a reasonable security feature or features appropriate to the nature or function of the device and the information that it may collect, contain, or transmit, that that is designed to protect the device and any information contained therein from unauthorized remote access or use.(b)The equipped security features for any connected devices shall include either of the following:(1)A security feature that requires a preprogrammed(b) Equipping a connected device with a means for authentication outside a local area network shall be deemed a reasonable security feature under subdivision (a) if either:(1) The preprogrammed password for access that is unique to each device manufactured or sold. manufactured.(2) A The device contains a security feature that requires a user to create generate a new password means of authentication before access is granted to the device for the first time.(c) This chapter shall not be construed to impose any duty upon the manufacturer of a connected device related to unauthorized software or applications that violate the terms of use of a connected device.(d) This chapter shall not apply to any connected device whose functionality is subject to security requirements under federal law, regulations, or guidance promulgated by a federal agency pursuant to its regulatory enforcement authority.(e) This chapter shall not be construed to provide a basis for a private right of action.
CHAPTER 36. Internet of Things Botnet Prevention Act22948.30. For purposes of this chapter, connected device chapter:(a) Authentication means a method of verifying the authority of a user, process, or device to access resources in an information system.(b) Connected device means any device, sensor, or other physical object that is capable of connecting to the Internet, directly or indirectly, or to another connected device.(c) Manufacturer means the person who (1) physically manufactures, and (2) sells or offers to sell a connected device in California.(d) Security feature means a feature of a device designed to provide security for that device.22948.31. (a) A manufacturer that sells or offers to sell a connected device in California shall equip the connected device with a reasonable security feature or features appropriate to the nature or function of the device and the information that it may collect, contain, or transmit, that that is designed to protect the device and any information contained therein from unauthorized remote access or use.(b)The equipped security features for any connected devices shall include either of the following:(1)A security feature that requires a preprogrammed(b) Equipping a connected device with a means for authentication outside a local area network shall be deemed a reasonable security feature under subdivision (a) if either:(1) The preprogrammed password for access that is unique to each device manufactured or sold. manufactured.(2) A The device contains a security feature that requires a user to create generate a new password means of authentication before access is granted to the device for the first time.(c) This chapter shall not be construed to impose any duty upon the manufacturer of a connected device related to unauthorized software or applications that violate the terms of use of a connected device.(d) This chapter shall not apply to any connected device whose functionality is subject to security requirements under federal law, regulations, or guidance promulgated by a federal agency pursuant to its regulatory enforcement authority.(e) This chapter shall not be construed to provide a basis for a private right of action.
CHAPTER 36. Internet of Things Botnet Prevention Act
CHAPTER 36. Internet of Things Botnet Prevention Act
22948.30. For purposes of this chapter, connected device chapter:(a) Authentication means a method of verifying the authority of a user, process, or device to access resources in an information system.(b) Connected device means any device, sensor, or other physical object that is capable of connecting to the Internet, directly or indirectly, or to another connected device.(c) Manufacturer means the person who (1) physically manufactures, and (2) sells or offers to sell a connected device in California.(d) Security feature means a feature of a device designed to provide security for that device.
22948.30. For purposes of this chapter, connected device chapter:
(a) Authentication means a method of verifying the authority of a user, process, or device to access resources in an information system.
(b) Connected device means any device, sensor, or other physical object that is capable of connecting to the Internet, directly or indirectly, or to another connected device.
(c) Manufacturer means the person who (1) physically manufactures, and (2) sells or offers to sell a connected device in California.
(d) Security feature means a feature of a device designed to provide security for that device.
22948.31. (a) A manufacturer that sells or offers to sell a connected device in California shall equip the connected device with a reasonable security feature or features appropriate to the nature or function of the device and the information that it may collect, contain, or transmit, that that is designed to protect the device and any information contained therein from unauthorized remote access or use.(b)The equipped security features for any connected devices shall include either of the following:(1)A security feature that requires a preprogrammed(b) Equipping a connected device with a means for authentication outside a local area network shall be deemed a reasonable security feature under subdivision (a) if either:(1) The preprogrammed password for access that is unique to each device manufactured or sold. manufactured.(2) A The device contains a security feature that requires a user to create generate a new password means of authentication before access is granted to the device for the first time.(c) This chapter shall not be construed to impose any duty upon the manufacturer of a connected device related to unauthorized software or applications that violate the terms of use of a connected device.(d) This chapter shall not apply to any connected device whose functionality is subject to security requirements under federal law, regulations, or guidance promulgated by a federal agency pursuant to its regulatory enforcement authority.(e) This chapter shall not be construed to provide a basis for a private right of action.
22948.31. (a) A manufacturer that sells or offers to sell a connected device in California shall equip the connected device with a reasonable security feature or features appropriate to the nature or function of the device and the information that it may collect, contain, or transmit, that that is designed to protect the device and any information contained therein from unauthorized remote access or use.
(b)The equipped security features for any connected devices shall include either of the following:
(1)A security feature that requires a preprogrammed
(b) Equipping a connected device with a means for authentication outside a local area network shall be deemed a reasonable security feature under subdivision (a) if either:
(1) The preprogrammed password for access that is unique to each device manufactured or sold. manufactured.
(2) A The device contains a security feature that requires a user to create generate a new password means of authentication before access is granted to the device for the first time.
(c) This chapter shall not be construed to impose any duty upon the manufacturer of a connected device related to unauthorized software or applications that violate the terms of use of a connected device.
(d) This chapter shall not apply to any connected device whose functionality is subject to security requirements under federal law, regulations, or guidance promulgated by a federal agency pursuant to its regulatory enforcement authority.
(e) This chapter shall not be construed to provide a basis for a private right of action.