Amended IN Senate July 03, 2018 Amended IN Senate June 11, 2018 Amended IN Assembly May 09, 2018 Amended IN Assembly April 23, 2018 CALIFORNIA LEGISLATURE 20172018 REGULAR SESSION Assembly Bill No. 1906Introduced by Assembly Member IrwinJanuary 22, 2018 An act to add Chapter 36 (commencing with Section 22948.30) to Division 8 of the Business and Professions Code, relating to business regulations. Title 1.81.26 (commencing with Section 1798.91.04) to Part 4 of Division 3 of the Civil Code, relating to information privacy.LEGISLATIVE COUNSEL'S DIGESTAB 1906, as amended, Irwin. Business regulations: information privacy: connected devices: security features. Information privacy: connected devices.Existing law requires a business to take all reasonable steps to dispose of customer records within its custody or control containing personal information when the records are no longer to be retained by the business by shredding, erasing, or otherwise modifying the personal information in those records to make it unreadable or undecipherable. Existing law also requires a business that owns, licenses, or maintains personal information about a California resident to implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure. Existing law authorizes a customer injured by a violation of these provisions to institute a civil action to recover damages.This bill, beginning in 2020, would require a manufacturer of a connected device, as those terms are defined, to equip the device with a reasonable security feature or features, appropriate to the nature and function of the device, and the information it may collect, contain, or transmit, designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure, as specified.Existing law requires a device that includes an integrated and enabled wireless access point and that is sold as new in California for use in a small office, home office, or residential setting to be manufactured to include certain security warnings or advisories about protection against unauthorized access. Existing law also prohibits a person or entity from providing for the operation of a voice recognition feature in California without prominently informing, during initial setup or installation of a connected television, either the user or person designated by the user to perform the initial setup or installation of the connected television.This bill, beginning January 1, 2020, would, with certain exceptions, require a person who manufactures, or contracts with another person to manufacture on the persons behalf, a connected device that is sold or offered for sale in California, to equip the connected device, as defined, with a reasonable security feature or features, appropriate to the nature and function of the device, designed to protect the device from unauthorized remote access or use. The bill would provide that equipping a connected device with a means for authentication outside a local area network is deemed a reasonable security feature, if the preprogrammed password is unique to each device manufactured or the device contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time. The bill would grant exclusive authority to enforce these provisions to the Attorney General, a city attorney, a county counsel, or a district attorney.Digest Key Vote: MAJORITY Appropriation: NO Fiscal Committee: YES Local Program: NO Bill TextThe people of the State of California do enact as follows:SECTION 1. Title 1.81.26 (commencing with Section 1798.91.04) is added to Part 4 of Division 3 of the Civil Code, to read:TITLE 1.81.26. Security of Connected Devices1798.91.04. (a) A manufacturer of a connected device shall equip the device with a reasonable security feature or features, appropriate to the nature and function of the device, and the information it may collect, contain, or transmit, designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.(b) Equipping a connected device with a means for authentication outside a local area network shall be deemed a reasonable security feature under subdivision (a) if either of the following requirements are met:(1) The preprogrammed password is unique to each device manufactured.(2) The device contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time.1798.91.05. For the purposes of this title, the following terms have the following meanings:(a) Authentication means a method of verifying the authority of a user, process, or device to access resources in an information system.(b) Connected device means any device, or other physical object that is capable of connecting to the Internet, directly or indirectly, and that is assigned an Internet Protocol address.(c) Manufacturer means the person who manufactures, or contracts with another person to manufacture on the persons behalf, connected devices that are sold or offered for sale in California. For the purposes of this subdivision, a contract with another person to manufacture on the persons behalf does not include a contract only to purchase a connected device, or only to purchase and brand a connected device.(d) Security feature means a feature of a device designed to provide security for that device.(e) Unauthorized access, destruction, use, modification, or disclosure means access, destruction, use, modification, or disclosure that is not authorized by the consumer.1798.90.06. (a) This title shall not be construed to impose any duty upon the manufacturer of a connected device related to unaffiliated third-party software or applications that a user chooses to add to a connected device.(b) This title shall not be construed to impose any duty upon a provider of an electronic store, gateway, marketplace, or other means of purchasing or downloading software or applications, to review or enforce compliance with this title.(c) This title shall not be construed to impose any duty upon the manufacturer of a connected device to prevent a user from having full control over a connected device, including the ability to modify the software or firmware running on the device at the users discretion.(d) This title shall not apply to any connected device the functionality of which is subject to security requirements under federal law, regulations, or guidance promulgated by a federal agency pursuant to its regulatory enforcement authority.(e) This title shall not be construed to provide a basis for a private right of action. The Attorney General, a city attorney, a county counsel, or a district attorney shall have the exclusive authority to enforce this chapter. However, the duties and obligations imposed by this title are cumulative with any other duties or obligations imposed under other law, and shall not be construed to relieve any party from any duties or obligations imposed under other law.(f) This title shall not be construed to limit the authority of a law enforcement agency to obtain connected device information from a manufacturer as authorized by law or pursuant to an order of a court of competent jurisdiction.(g) A covered entity, provider of health care, business associate, health care service plan, contractor, employer, or any other person subject to the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA) (Public Law 104-191) or the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) shall not be subject to this title with respect to any activity regulated by those acts.(h) This title shall become operative on January 1, 2020.SEC. 2. This act shall become operative only if Senate Bill 327 of the 201718 Regular Session is also enacted and becomes effective.SECTION 1.Chapter 36 (commencing with Section 22948.30) is added to Division 8 of the Business and Professions Code, to read:36.Internet of Things Botnet Prevention Act22948.30.For purposes of this chapter:(a)Authentication means a method of verifying the authority of a user, process, or device to access resources in an information system.(b)Connected device means any device, or other physical object that is capable of connecting to the Internet, directly or through a device, and that is assigned an Internet Protocol address.(c)Manufacturer means the person who manufactures, or contracts with another person to manufacture on the persons behalf, connected devices that are sold or offered for sale in California. For the purposes of this subdivision, a contract with another person to manufacture on the persons behalf does not include a contract only to purchase a connected device, or only to purchase and brand a connected device.(d)Security feature means a feature of a device designed to provide security for that device.22948.31.(a)A manufacturer shall equip the connected device with a reasonable security feature or features, appropriate to the nature and function of the device, designed to protect the device from unauthorized remote access or use.(b)Equipping a connected device with a means for authentication outside a local area network shall be deemed a reasonable security feature under subdivision (a) if either:(1)The preprogrammed password is unique to each device manufactured.(2)The device contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time.(c)This chapter shall not be construed to impose any duty upon the manufacturer of a connected device related to unauthorized software or applications that violate the terms of use of a connected device.(d)This chapter shall not apply to any connected device whose functionality is subject to security requirements under federal law, regulations, or guidance promulgated by a federal agency pursuant to its regulatory enforcement authority.(e)This chapter shall not be construed to provide a basis for a private right of action. The Attorney General, a city attorney, a county counsel, or a district attorney shall have the exclusive authority to enforce this chapter.(f)This chapter shall become operative on January 1, 2020.
Amended IN Senate July 03, 2018 Amended IN Senate June 11, 2018 Amended IN Assembly May 09, 2018 Amended IN Assembly April 23, 2018 CALIFORNIA LEGISLATURE 20172018 REGULAR SESSION Assembly Bill No. 1906Introduced by Assembly Member IrwinJanuary 22, 2018 An act to add Chapter 36 (commencing with Section 22948.30) to Division 8 of the Business and Professions Code, relating to business regulations. Title 1.81.26 (commencing with Section 1798.91.04) to Part 4 of Division 3 of the Civil Code, relating to information privacy.LEGISLATIVE COUNSEL'S DIGESTAB 1906, as amended, Irwin. Business regulations: information privacy: connected devices: security features. Information privacy: connected devices.Existing law requires a business to take all reasonable steps to dispose of customer records within its custody or control containing personal information when the records are no longer to be retained by the business by shredding, erasing, or otherwise modifying the personal information in those records to make it unreadable or undecipherable. Existing law also requires a business that owns, licenses, or maintains personal information about a California resident to implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure. Existing law authorizes a customer injured by a violation of these provisions to institute a civil action to recover damages.This bill, beginning in 2020, would require a manufacturer of a connected device, as those terms are defined, to equip the device with a reasonable security feature or features, appropriate to the nature and function of the device, and the information it may collect, contain, or transmit, designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure, as specified.Existing law requires a device that includes an integrated and enabled wireless access point and that is sold as new in California for use in a small office, home office, or residential setting to be manufactured to include certain security warnings or advisories about protection against unauthorized access. Existing law also prohibits a person or entity from providing for the operation of a voice recognition feature in California without prominently informing, during initial setup or installation of a connected television, either the user or person designated by the user to perform the initial setup or installation of the connected television.This bill, beginning January 1, 2020, would, with certain exceptions, require a person who manufactures, or contracts with another person to manufacture on the persons behalf, a connected device that is sold or offered for sale in California, to equip the connected device, as defined, with a reasonable security feature or features, appropriate to the nature and function of the device, designed to protect the device from unauthorized remote access or use. The bill would provide that equipping a connected device with a means for authentication outside a local area network is deemed a reasonable security feature, if the preprogrammed password is unique to each device manufactured or the device contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time. The bill would grant exclusive authority to enforce these provisions to the Attorney General, a city attorney, a county counsel, or a district attorney.Digest Key Vote: MAJORITY Appropriation: NO Fiscal Committee: YES Local Program: NO
Amended IN Senate July 03, 2018 Amended IN Senate June 11, 2018 Amended IN Assembly May 09, 2018 Amended IN Assembly April 23, 2018
Amended IN Senate July 03, 2018
Amended IN Senate June 11, 2018
Amended IN Assembly May 09, 2018
Amended IN Assembly April 23, 2018
CALIFORNIA LEGISLATURE 20172018 REGULAR SESSION
Assembly Bill No. 1906
Introduced by Assembly Member IrwinJanuary 22, 2018
Introduced by Assembly Member Irwin
January 22, 2018
An act to add Chapter 36 (commencing with Section 22948.30) to Division 8 of the Business and Professions Code, relating to business regulations. Title 1.81.26 (commencing with Section 1798.91.04) to Part 4 of Division 3 of the Civil Code, relating to information privacy.
LEGISLATIVE COUNSEL'S DIGEST
## LEGISLATIVE COUNSEL'S DIGEST
AB 1906, as amended, Irwin. Business regulations: information privacy: connected devices: security features. Information privacy: connected devices.
Existing law requires a business to take all reasonable steps to dispose of customer records within its custody or control containing personal information when the records are no longer to be retained by the business by shredding, erasing, or otherwise modifying the personal information in those records to make it unreadable or undecipherable. Existing law also requires a business that owns, licenses, or maintains personal information about a California resident to implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure. Existing law authorizes a customer injured by a violation of these provisions to institute a civil action to recover damages.This bill, beginning in 2020, would require a manufacturer of a connected device, as those terms are defined, to equip the device with a reasonable security feature or features, appropriate to the nature and function of the device, and the information it may collect, contain, or transmit, designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure, as specified.Existing law requires a device that includes an integrated and enabled wireless access point and that is sold as new in California for use in a small office, home office, or residential setting to be manufactured to include certain security warnings or advisories about protection against unauthorized access. Existing law also prohibits a person or entity from providing for the operation of a voice recognition feature in California without prominently informing, during initial setup or installation of a connected television, either the user or person designated by the user to perform the initial setup or installation of the connected television.This bill, beginning January 1, 2020, would, with certain exceptions, require a person who manufactures, or contracts with another person to manufacture on the persons behalf, a connected device that is sold or offered for sale in California, to equip the connected device, as defined, with a reasonable security feature or features, appropriate to the nature and function of the device, designed to protect the device from unauthorized remote access or use. The bill would provide that equipping a connected device with a means for authentication outside a local area network is deemed a reasonable security feature, if the preprogrammed password is unique to each device manufactured or the device contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time. The bill would grant exclusive authority to enforce these provisions to the Attorney General, a city attorney, a county counsel, or a district attorney.
Existing law requires a business to take all reasonable steps to dispose of customer records within its custody or control containing personal information when the records are no longer to be retained by the business by shredding, erasing, or otherwise modifying the personal information in those records to make it unreadable or undecipherable. Existing law also requires a business that owns, licenses, or maintains personal information about a California resident to implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure. Existing law authorizes a customer injured by a violation of these provisions to institute a civil action to recover damages.
This bill, beginning in 2020, would require a manufacturer of a connected device, as those terms are defined, to equip the device with a reasonable security feature or features, appropriate to the nature and function of the device, and the information it may collect, contain, or transmit, designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure, as specified.
Existing law requires a device that includes an integrated and enabled wireless access point and that is sold as new in California for use in a small office, home office, or residential setting to be manufactured to include certain security warnings or advisories about protection against unauthorized access. Existing law also prohibits a person or entity from providing for the operation of a voice recognition feature in California without prominently informing, during initial setup or installation of a connected television, either the user or person designated by the user to perform the initial setup or installation of the connected television.
This bill, beginning January 1, 2020, would, with certain exceptions, require a person who manufactures, or contracts with another person to manufacture on the persons behalf, a connected device that is sold or offered for sale in California, to equip the connected device, as defined, with a reasonable security feature or features, appropriate to the nature and function of the device, designed to protect the device from unauthorized remote access or use. The bill would provide that equipping a connected device with a means for authentication outside a local area network is deemed a reasonable security feature, if the preprogrammed password is unique to each device manufactured or the device contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time. The bill would grant exclusive authority to enforce these provisions to the Attorney General, a city attorney, a county counsel, or a district attorney.
## Digest Key
## Bill Text
The people of the State of California do enact as follows:SECTION 1. Title 1.81.26 (commencing with Section 1798.91.04) is added to Part 4 of Division 3 of the Civil Code, to read:TITLE 1.81.26. Security of Connected Devices1798.91.04. (a) A manufacturer of a connected device shall equip the device with a reasonable security feature or features, appropriate to the nature and function of the device, and the information it may collect, contain, or transmit, designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.(b) Equipping a connected device with a means for authentication outside a local area network shall be deemed a reasonable security feature under subdivision (a) if either of the following requirements are met:(1) The preprogrammed password is unique to each device manufactured.(2) The device contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time.1798.91.05. For the purposes of this title, the following terms have the following meanings:(a) Authentication means a method of verifying the authority of a user, process, or device to access resources in an information system.(b) Connected device means any device, or other physical object that is capable of connecting to the Internet, directly or indirectly, and that is assigned an Internet Protocol address.(c) Manufacturer means the person who manufactures, or contracts with another person to manufacture on the persons behalf, connected devices that are sold or offered for sale in California. For the purposes of this subdivision, a contract with another person to manufacture on the persons behalf does not include a contract only to purchase a connected device, or only to purchase and brand a connected device.(d) Security feature means a feature of a device designed to provide security for that device.(e) Unauthorized access, destruction, use, modification, or disclosure means access, destruction, use, modification, or disclosure that is not authorized by the consumer.1798.90.06. (a) This title shall not be construed to impose any duty upon the manufacturer of a connected device related to unaffiliated third-party software or applications that a user chooses to add to a connected device.(b) This title shall not be construed to impose any duty upon a provider of an electronic store, gateway, marketplace, or other means of purchasing or downloading software or applications, to review or enforce compliance with this title.(c) This title shall not be construed to impose any duty upon the manufacturer of a connected device to prevent a user from having full control over a connected device, including the ability to modify the software or firmware running on the device at the users discretion.(d) This title shall not apply to any connected device the functionality of which is subject to security requirements under federal law, regulations, or guidance promulgated by a federal agency pursuant to its regulatory enforcement authority.(e) This title shall not be construed to provide a basis for a private right of action. The Attorney General, a city attorney, a county counsel, or a district attorney shall have the exclusive authority to enforce this chapter. However, the duties and obligations imposed by this title are cumulative with any other duties or obligations imposed under other law, and shall not be construed to relieve any party from any duties or obligations imposed under other law.(f) This title shall not be construed to limit the authority of a law enforcement agency to obtain connected device information from a manufacturer as authorized by law or pursuant to an order of a court of competent jurisdiction.(g) A covered entity, provider of health care, business associate, health care service plan, contractor, employer, or any other person subject to the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA) (Public Law 104-191) or the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) shall not be subject to this title with respect to any activity regulated by those acts.(h) This title shall become operative on January 1, 2020.SEC. 2. This act shall become operative only if Senate Bill 327 of the 201718 Regular Session is also enacted and becomes effective.SECTION 1.Chapter 36 (commencing with Section 22948.30) is added to Division 8 of the Business and Professions Code, to read:36.Internet of Things Botnet Prevention Act22948.30.For purposes of this chapter:(a)Authentication means a method of verifying the authority of a user, process, or device to access resources in an information system.(b)Connected device means any device, or other physical object that is capable of connecting to the Internet, directly or through a device, and that is assigned an Internet Protocol address.(c)Manufacturer means the person who manufactures, or contracts with another person to manufacture on the persons behalf, connected devices that are sold or offered for sale in California. For the purposes of this subdivision, a contract with another person to manufacture on the persons behalf does not include a contract only to purchase a connected device, or only to purchase and brand a connected device.(d)Security feature means a feature of a device designed to provide security for that device.22948.31.(a)A manufacturer shall equip the connected device with a reasonable security feature or features, appropriate to the nature and function of the device, designed to protect the device from unauthorized remote access or use.(b)Equipping a connected device with a means for authentication outside a local area network shall be deemed a reasonable security feature under subdivision (a) if either:(1)The preprogrammed password is unique to each device manufactured.(2)The device contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time.(c)This chapter shall not be construed to impose any duty upon the manufacturer of a connected device related to unauthorized software or applications that violate the terms of use of a connected device.(d)This chapter shall not apply to any connected device whose functionality is subject to security requirements under federal law, regulations, or guidance promulgated by a federal agency pursuant to its regulatory enforcement authority.(e)This chapter shall not be construed to provide a basis for a private right of action. The Attorney General, a city attorney, a county counsel, or a district attorney shall have the exclusive authority to enforce this chapter.(f)This chapter shall become operative on January 1, 2020.
The people of the State of California do enact as follows:
## The people of the State of California do enact as follows:
SECTION 1. Title 1.81.26 (commencing with Section 1798.91.04) is added to Part 4 of Division 3 of the Civil Code, to read:TITLE 1.81.26. Security of Connected Devices1798.91.04. (a) A manufacturer of a connected device shall equip the device with a reasonable security feature or features, appropriate to the nature and function of the device, and the information it may collect, contain, or transmit, designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.(b) Equipping a connected device with a means for authentication outside a local area network shall be deemed a reasonable security feature under subdivision (a) if either of the following requirements are met:(1) The preprogrammed password is unique to each device manufactured.(2) The device contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time.1798.91.05. For the purposes of this title, the following terms have the following meanings:(a) Authentication means a method of verifying the authority of a user, process, or device to access resources in an information system.(b) Connected device means any device, or other physical object that is capable of connecting to the Internet, directly or indirectly, and that is assigned an Internet Protocol address.(c) Manufacturer means the person who manufactures, or contracts with another person to manufacture on the persons behalf, connected devices that are sold or offered for sale in California. For the purposes of this subdivision, a contract with another person to manufacture on the persons behalf does not include a contract only to purchase a connected device, or only to purchase and brand a connected device.(d) Security feature means a feature of a device designed to provide security for that device.(e) Unauthorized access, destruction, use, modification, or disclosure means access, destruction, use, modification, or disclosure that is not authorized by the consumer.1798.90.06. (a) This title shall not be construed to impose any duty upon the manufacturer of a connected device related to unaffiliated third-party software or applications that a user chooses to add to a connected device.(b) This title shall not be construed to impose any duty upon a provider of an electronic store, gateway, marketplace, or other means of purchasing or downloading software or applications, to review or enforce compliance with this title.(c) This title shall not be construed to impose any duty upon the manufacturer of a connected device to prevent a user from having full control over a connected device, including the ability to modify the software or firmware running on the device at the users discretion.(d) This title shall not apply to any connected device the functionality of which is subject to security requirements under federal law, regulations, or guidance promulgated by a federal agency pursuant to its regulatory enforcement authority.(e) This title shall not be construed to provide a basis for a private right of action. The Attorney General, a city attorney, a county counsel, or a district attorney shall have the exclusive authority to enforce this chapter. However, the duties and obligations imposed by this title are cumulative with any other duties or obligations imposed under other law, and shall not be construed to relieve any party from any duties or obligations imposed under other law.(f) This title shall not be construed to limit the authority of a law enforcement agency to obtain connected device information from a manufacturer as authorized by law or pursuant to an order of a court of competent jurisdiction.(g) A covered entity, provider of health care, business associate, health care service plan, contractor, employer, or any other person subject to the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA) (Public Law 104-191) or the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) shall not be subject to this title with respect to any activity regulated by those acts.(h) This title shall become operative on January 1, 2020.
SECTION 1. Title 1.81.26 (commencing with Section 1798.91.04) is added to Part 4 of Division 3 of the Civil Code, to read:
### SECTION 1.
TITLE 1.81.26. Security of Connected Devices1798.91.04. (a) A manufacturer of a connected device shall equip the device with a reasonable security feature or features, appropriate to the nature and function of the device, and the information it may collect, contain, or transmit, designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.(b) Equipping a connected device with a means for authentication outside a local area network shall be deemed a reasonable security feature under subdivision (a) if either of the following requirements are met:(1) The preprogrammed password is unique to each device manufactured.(2) The device contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time.1798.91.05. For the purposes of this title, the following terms have the following meanings:(a) Authentication means a method of verifying the authority of a user, process, or device to access resources in an information system.(b) Connected device means any device, or other physical object that is capable of connecting to the Internet, directly or indirectly, and that is assigned an Internet Protocol address.(c) Manufacturer means the person who manufactures, or contracts with another person to manufacture on the persons behalf, connected devices that are sold or offered for sale in California. For the purposes of this subdivision, a contract with another person to manufacture on the persons behalf does not include a contract only to purchase a connected device, or only to purchase and brand a connected device.(d) Security feature means a feature of a device designed to provide security for that device.(e) Unauthorized access, destruction, use, modification, or disclosure means access, destruction, use, modification, or disclosure that is not authorized by the consumer.1798.90.06. (a) This title shall not be construed to impose any duty upon the manufacturer of a connected device related to unaffiliated third-party software or applications that a user chooses to add to a connected device.(b) This title shall not be construed to impose any duty upon a provider of an electronic store, gateway, marketplace, or other means of purchasing or downloading software or applications, to review or enforce compliance with this title.(c) This title shall not be construed to impose any duty upon the manufacturer of a connected device to prevent a user from having full control over a connected device, including the ability to modify the software or firmware running on the device at the users discretion.(d) This title shall not apply to any connected device the functionality of which is subject to security requirements under federal law, regulations, or guidance promulgated by a federal agency pursuant to its regulatory enforcement authority.(e) This title shall not be construed to provide a basis for a private right of action. The Attorney General, a city attorney, a county counsel, or a district attorney shall have the exclusive authority to enforce this chapter. However, the duties and obligations imposed by this title are cumulative with any other duties or obligations imposed under other law, and shall not be construed to relieve any party from any duties or obligations imposed under other law.(f) This title shall not be construed to limit the authority of a law enforcement agency to obtain connected device information from a manufacturer as authorized by law or pursuant to an order of a court of competent jurisdiction.(g) A covered entity, provider of health care, business associate, health care service plan, contractor, employer, or any other person subject to the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA) (Public Law 104-191) or the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) shall not be subject to this title with respect to any activity regulated by those acts.(h) This title shall become operative on January 1, 2020.
TITLE 1.81.26. Security of Connected Devices1798.91.04. (a) A manufacturer of a connected device shall equip the device with a reasonable security feature or features, appropriate to the nature and function of the device, and the information it may collect, contain, or transmit, designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.(b) Equipping a connected device with a means for authentication outside a local area network shall be deemed a reasonable security feature under subdivision (a) if either of the following requirements are met:(1) The preprogrammed password is unique to each device manufactured.(2) The device contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time.1798.91.05. For the purposes of this title, the following terms have the following meanings:(a) Authentication means a method of verifying the authority of a user, process, or device to access resources in an information system.(b) Connected device means any device, or other physical object that is capable of connecting to the Internet, directly or indirectly, and that is assigned an Internet Protocol address.(c) Manufacturer means the person who manufactures, or contracts with another person to manufacture on the persons behalf, connected devices that are sold or offered for sale in California. For the purposes of this subdivision, a contract with another person to manufacture on the persons behalf does not include a contract only to purchase a connected device, or only to purchase and brand a connected device.(d) Security feature means a feature of a device designed to provide security for that device.(e) Unauthorized access, destruction, use, modification, or disclosure means access, destruction, use, modification, or disclosure that is not authorized by the consumer.1798.90.06. (a) This title shall not be construed to impose any duty upon the manufacturer of a connected device related to unaffiliated third-party software or applications that a user chooses to add to a connected device.(b) This title shall not be construed to impose any duty upon a provider of an electronic store, gateway, marketplace, or other means of purchasing or downloading software or applications, to review or enforce compliance with this title.(c) This title shall not be construed to impose any duty upon the manufacturer of a connected device to prevent a user from having full control over a connected device, including the ability to modify the software or firmware running on the device at the users discretion.(d) This title shall not apply to any connected device the functionality of which is subject to security requirements under federal law, regulations, or guidance promulgated by a federal agency pursuant to its regulatory enforcement authority.(e) This title shall not be construed to provide a basis for a private right of action. The Attorney General, a city attorney, a county counsel, or a district attorney shall have the exclusive authority to enforce this chapter. However, the duties and obligations imposed by this title are cumulative with any other duties or obligations imposed under other law, and shall not be construed to relieve any party from any duties or obligations imposed under other law.(f) This title shall not be construed to limit the authority of a law enforcement agency to obtain connected device information from a manufacturer as authorized by law or pursuant to an order of a court of competent jurisdiction.(g) A covered entity, provider of health care, business associate, health care service plan, contractor, employer, or any other person subject to the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA) (Public Law 104-191) or the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) shall not be subject to this title with respect to any activity regulated by those acts.(h) This title shall become operative on January 1, 2020.
TITLE 1.81.26. Security of Connected Devices
TITLE 1.81.26. Security of Connected Devices
1798.91.04. (a) A manufacturer of a connected device shall equip the device with a reasonable security feature or features, appropriate to the nature and function of the device, and the information it may collect, contain, or transmit, designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.(b) Equipping a connected device with a means for authentication outside a local area network shall be deemed a reasonable security feature under subdivision (a) if either of the following requirements are met:(1) The preprogrammed password is unique to each device manufactured.(2) The device contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time.
1798.91.04. (a) A manufacturer of a connected device shall equip the device with a reasonable security feature or features, appropriate to the nature and function of the device, and the information it may collect, contain, or transmit, designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.
(b) Equipping a connected device with a means for authentication outside a local area network shall be deemed a reasonable security feature under subdivision (a) if either of the following requirements are met:
(1) The preprogrammed password is unique to each device manufactured.
(2) The device contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time.
1798.91.05. For the purposes of this title, the following terms have the following meanings:(a) Authentication means a method of verifying the authority of a user, process, or device to access resources in an information system.(b) Connected device means any device, or other physical object that is capable of connecting to the Internet, directly or indirectly, and that is assigned an Internet Protocol address.(c) Manufacturer means the person who manufactures, or contracts with another person to manufacture on the persons behalf, connected devices that are sold or offered for sale in California. For the purposes of this subdivision, a contract with another person to manufacture on the persons behalf does not include a contract only to purchase a connected device, or only to purchase and brand a connected device.(d) Security feature means a feature of a device designed to provide security for that device.(e) Unauthorized access, destruction, use, modification, or disclosure means access, destruction, use, modification, or disclosure that is not authorized by the consumer.
1798.91.05. For the purposes of this title, the following terms have the following meanings:
(a) Authentication means a method of verifying the authority of a user, process, or device to access resources in an information system.
(b) Connected device means any device, or other physical object that is capable of connecting to the Internet, directly or indirectly, and that is assigned an Internet Protocol address.
(c) Manufacturer means the person who manufactures, or contracts with another person to manufacture on the persons behalf, connected devices that are sold or offered for sale in California. For the purposes of this subdivision, a contract with another person to manufacture on the persons behalf does not include a contract only to purchase a connected device, or only to purchase and brand a connected device.
(d) Security feature means a feature of a device designed to provide security for that device.
(e) Unauthorized access, destruction, use, modification, or disclosure means access, destruction, use, modification, or disclosure that is not authorized by the consumer.
1798.90.06. (a) This title shall not be construed to impose any duty upon the manufacturer of a connected device related to unaffiliated third-party software or applications that a user chooses to add to a connected device.(b) This title shall not be construed to impose any duty upon a provider of an electronic store, gateway, marketplace, or other means of purchasing or downloading software or applications, to review or enforce compliance with this title.(c) This title shall not be construed to impose any duty upon the manufacturer of a connected device to prevent a user from having full control over a connected device, including the ability to modify the software or firmware running on the device at the users discretion.(d) This title shall not apply to any connected device the functionality of which is subject to security requirements under federal law, regulations, or guidance promulgated by a federal agency pursuant to its regulatory enforcement authority.(e) This title shall not be construed to provide a basis for a private right of action. The Attorney General, a city attorney, a county counsel, or a district attorney shall have the exclusive authority to enforce this chapter. However, the duties and obligations imposed by this title are cumulative with any other duties or obligations imposed under other law, and shall not be construed to relieve any party from any duties or obligations imposed under other law.(f) This title shall not be construed to limit the authority of a law enforcement agency to obtain connected device information from a manufacturer as authorized by law or pursuant to an order of a court of competent jurisdiction.(g) A covered entity, provider of health care, business associate, health care service plan, contractor, employer, or any other person subject to the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA) (Public Law 104-191) or the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) shall not be subject to this title with respect to any activity regulated by those acts.(h) This title shall become operative on January 1, 2020.
1798.90.06. (a) This title shall not be construed to impose any duty upon the manufacturer of a connected device related to unaffiliated third-party software or applications that a user chooses to add to a connected device.
(b) This title shall not be construed to impose any duty upon a provider of an electronic store, gateway, marketplace, or other means of purchasing or downloading software or applications, to review or enforce compliance with this title.
(c) This title shall not be construed to impose any duty upon the manufacturer of a connected device to prevent a user from having full control over a connected device, including the ability to modify the software or firmware running on the device at the users discretion.
(d) This title shall not apply to any connected device the functionality of which is subject to security requirements under federal law, regulations, or guidance promulgated by a federal agency pursuant to its regulatory enforcement authority.
(e) This title shall not be construed to provide a basis for a private right of action. The Attorney General, a city attorney, a county counsel, or a district attorney shall have the exclusive authority to enforce this chapter. However, the duties and obligations imposed by this title are cumulative with any other duties or obligations imposed under other law, and shall not be construed to relieve any party from any duties or obligations imposed under other law.
(f) This title shall not be construed to limit the authority of a law enforcement agency to obtain connected device information from a manufacturer as authorized by law or pursuant to an order of a court of competent jurisdiction.
(g) A covered entity, provider of health care, business associate, health care service plan, contractor, employer, or any other person subject to the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA) (Public Law 104-191) or the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) shall not be subject to this title with respect to any activity regulated by those acts.
(h) This title shall become operative on January 1, 2020.
SEC. 2. This act shall become operative only if Senate Bill 327 of the 201718 Regular Session is also enacted and becomes effective.
SEC. 2. This act shall become operative only if Senate Bill 327 of the 201718 Regular Session is also enacted and becomes effective.
SEC. 2. This act shall become operative only if Senate Bill 327 of the 201718 Regular Session is also enacted and becomes effective.
### SEC. 2.
For purposes of this chapter:
(a)Authentication means a method of verifying the authority of a user, process, or device to access resources in an information system.
(b)Connected device means any device, or other physical object that is capable of connecting to the Internet, directly or through a device, and that is assigned an Internet Protocol address.
(c)Manufacturer means the person who manufactures, or contracts with another person to manufacture on the persons behalf, connected devices that are sold or offered for sale in California. For the purposes of this subdivision, a contract with another person to manufacture on the persons behalf does not include a contract only to purchase a connected device, or only to purchase and brand a connected device.
(d)Security feature means a feature of a device designed to provide security for that device.
(a)A manufacturer shall equip the connected device with a reasonable security feature or features, appropriate to the nature and function of the device, designed to protect the device from unauthorized remote access or use.
(b)Equipping a connected device with a means for authentication outside a local area network shall be deemed a reasonable security feature under subdivision (a) if either:
(1)The preprogrammed password is unique to each device manufactured.
(2)The device contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time.
(c)This chapter shall not be construed to impose any duty upon the manufacturer of a connected device related to unauthorized software or applications that violate the terms of use of a connected device.
(d)This chapter shall not apply to any connected device whose functionality is subject to security requirements under federal law, regulations, or guidance promulgated by a federal agency pursuant to its regulatory enforcement authority.
(e)This chapter shall not be construed to provide a basis for a private right of action. The Attorney General, a city attorney, a county counsel, or a district attorney shall have the exclusive authority to enforce this chapter.
(f)This chapter shall become operative on January 1, 2020.