| 1 | | - | Assembly Bill No. 2392 CHAPTER 785 An act to amend Sections 1798.91.04 and 1798.91.05 of, and to repeal Title 1.81.26 (commencing with Section 1798.91.04) of Part 4 of Division 3 of, the Civil Code, relating to information privacy. [ Approved by Governor September 29, 2022. Filed with Secretary of State September 29, 2022. ] LEGISLATIVE COUNSEL'S DIGESTAB 2392, Irwin. Information privacy: connected devices: labeling.Existing law requires a manufacturer of a connected device to equip the device with a reasonable security feature or features that are appropriate to the nature and function of the device, appropriate to the information it may collect, contain, or transmit, and designed to protect the device and information contained in the device from unauthorized access, destruction, use, modification, or disclosure.This bill would provide that a manufacturer of a connected device may elect to satisfy the above-described provisions by ensuring the connected device meets or exceeds the baseline product criteria of a labeling scheme that conforms to specified guidance published by the National Institute of Standards and Technology (NIST) for consumer Internet of Things (IoT) products, satisfies a conformity assessment as described by a NIST conforming labeling scheme, as specified, and bears the binary label as described by a NIST conforming labeling scheme.This bill would also make nonsubstantive changes that remove provisions redundant to the above-described existing provisions.Digest Key Vote: MAJORITY Appropriation: NO Fiscal Committee: YES Local Program: NO Bill TextThe people of the State of California do enact as follows:SECTION 1. The Legislature finds and declares all of the following:(a) On May 12, 2021, President Joseph Biden issued the Executive Order on Improving the Nations Cybersecurity (E.O. 14028) directing the National Institute of Standards and Technology (NIST) to develop cybersecurity criteria and labeling approaches for consumer software and Internet of Things (IoT) products and then to initiate pilots based on those criteria.(b) On February 4, 2022, NIST published Recommended Criteria for Cybersecurity Labeling for Consumer Internet of Things (IoT) Products to fulfill the requirements of the Executive Order.(c) NISTs recommended criteria aim to identify key elements of labeling in terms of minimum recommendations and desirable attributes for use by a labeling scheme owner.(d) NIST decided against establishing its own labeling program in favor of allowing various schemes owned by various public or private sector organizations.SEC. 2. Section 1798.91.04 of the Civil Code, as added by Section 1 of Chapter 860 of the Statutes of 2018, is amended to read:1798.91.04. (a) A manufacturer of a connected device shall equip the device with a reasonable security feature or features that are all of the following:(1) Appropriate to the nature and function of the device.(2) Appropriate to the information it may collect, contain, or transmit.(3) Designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.(b) Subject to all of the requirements of subdivision (a), if a connected device is equipped with a means for authentication outside a local area network, it shall be deemed a reasonable security feature under subdivision (a) if either of the following requirements are met:(1) The preprogrammed password is unique to each device manufactured.(2) The device contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time.(c) A manufacturer of a connected device may elect to satisfy the requirements of subdivision (a) by ensuring the connected device does all of the following:(1) Meets or exceeds the baseline product criteria of a NIST conforming labeling scheme.(2) Satisfies a conformity assessment as described by a NIST conforming labeling scheme that includes a third-party test, inspection, or certification.(3) Bears the binary label as described by a NIST conforming labeling scheme.SEC. 3. Section 1798.91.05 of the Civil Code, as added by Section 1 of Chapter 860 of the Statutes of 2018, is amended to read:1798.91.05. For the purposes of this title, the following terms have the following meanings:(a) Authentication means a method of verifying the authority of a user, process, or device to access resources in an information system.(b) Connected device means any device, or other physical object that is capable of connecting to the internet, directly or indirectly, and that is assigned an internet protocol address or Bluetooth address.(c) Manufacturer means the person who manufactures, or contracts with another person to manufacture on the persons behalf, connected devices that are sold or offered for sale in California. For the purposes of this subdivision, a contract with another person to manufacture on the persons behalf does not include a contract only to purchase a connected device, or only to purchase and brand a connected device.(d) NIST conforming labeling scheme means a labeling scheme conforming to the Cybersecurity White Paper titled Recommended Criteria for Cybersecurity Labeling for Consumer Internet of Things (IoT) Products published by the National Institute of Standards and Technology (NIST) on February 4, 2022, including any revisions or successor publications.(e) Security feature means a feature of a device designed to provide security for that device.(f) Unauthorized access, destruction, use, modification, or disclosure means access, destruction, use, modification, or disclosure that is not authorized by the consumer.SEC. 4. Title 1.81.26 (commencing with Section 1798.91.04) of Part 4 of Division 3 of the Civil Code, as added by Section 1 of Chapter 886 of the Statutes of 2018, is repealed. |
|---|
| 1 | + | Enrolled August 30, 2022 Passed IN Senate August 24, 2022 Passed IN Assembly August 29, 2022 Amended IN Senate June 23, 2022 Amended IN Assembly March 28, 2022 CALIFORNIA LEGISLATURE 20212022 REGULAR SESSION Assembly Bill No. 2392Introduced by Assembly Member IrwinFebruary 17, 2022 An act to amend Sections 1798.91.04 and 1798.91.05 of, and to repeal Title 1.81.26 (commencing with Section 1798.91.04) of Part 4 of Division 3 of, the Civil Code, relating to information privacy. LEGISLATIVE COUNSEL'S DIGESTAB 2392, Irwin. Information privacy: connected devices: labeling.Existing law requires a manufacturer of a connected device to equip the device with a reasonable security feature or features that are appropriate to the nature and function of the device, appropriate to the information it may collect, contain, or transmit, and designed to protect the device and information contained in the device from unauthorized access, destruction, use, modification, or disclosure.This bill would provide that a manufacturer of a connected device may elect to satisfy the above-described provisions by ensuring the connected device meets or exceeds the baseline product criteria of a labeling scheme that conforms to specified guidance published by the National Institute of Standards and Technology (NIST) for consumer Internet of Things (IoT) products, satisfies a conformity assessment as described by a NIST conforming labeling scheme, as specified, and bears the binary label as described by a NIST conforming labeling scheme.This bill would also make nonsubstantive changes that remove provisions redundant to the above-described existing provisions.Digest Key Vote: MAJORITY Appropriation: NO Fiscal Committee: YES Local Program: NO Bill TextThe people of the State of California do enact as follows:SECTION 1. The Legislature finds and declares all of the following:(a) On May 12, 2021, President Joseph Biden issued the Executive Order on Improving the Nations Cybersecurity (E.O. 14028) directing the National Institute of Standards and Technology (NIST) to develop cybersecurity criteria and labeling approaches for consumer software and Internet of Things (IoT) products and then to initiate pilots based on those criteria.(b) On February 4, 2022, NIST published Recommended Criteria for Cybersecurity Labeling for Consumer Internet of Things (IoT) Products to fulfill the requirements of the Executive Order.(c) NISTs recommended criteria aim to identify key elements of labeling in terms of minimum recommendations and desirable attributes for use by a labeling scheme owner.(d) NIST decided against establishing its own labeling program in favor of allowing various schemes owned by various public or private sector organizations.SEC. 2. Section 1798.91.04 of the Civil Code, as added by Section 1 of Chapter 860 of the Statutes of 2018, is amended to read:1798.91.04. (a) A manufacturer of a connected device shall equip the device with a reasonable security feature or features that are all of the following:(1) Appropriate to the nature and function of the device.(2) Appropriate to the information it may collect, contain, or transmit.(3) Designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.(b) Subject to all of the requirements of subdivision (a), if a connected device is equipped with a means for authentication outside a local area network, it shall be deemed a reasonable security feature under subdivision (a) if either of the following requirements are met:(1) The preprogrammed password is unique to each device manufactured.(2) The device contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time.(c) A manufacturer of a connected device may elect to satisfy the requirements of subdivision (a) by ensuring the connected device does all of the following:(1) Meets or exceeds the baseline product criteria of a NIST conforming labeling scheme.(2) Satisfies a conformity assessment as described by a NIST conforming labeling scheme that includes a third-party test, inspection, or certification.(3) Bears the binary label as described by a NIST conforming labeling scheme.SEC. 3. Section 1798.91.05 of the Civil Code, as added by Section 1 of Chapter 860 of the Statutes of 2018, is amended to read:1798.91.05. For the purposes of this title, the following terms have the following meanings:(a) Authentication means a method of verifying the authority of a user, process, or device to access resources in an information system.(b) Connected device means any device, or other physical object that is capable of connecting to the internet, directly or indirectly, and that is assigned an internet protocol address or Bluetooth address.(c) Manufacturer means the person who manufactures, or contracts with another person to manufacture on the persons behalf, connected devices that are sold or offered for sale in California. For the purposes of this subdivision, a contract with another person to manufacture on the persons behalf does not include a contract only to purchase a connected device, or only to purchase and brand a connected device.(d) NIST conforming labeling scheme means a labeling scheme conforming to the Cybersecurity White Paper titled Recommended Criteria for Cybersecurity Labeling for Consumer Internet of Things (IoT) Products published by the National Institute of Standards and Technology (NIST) on February 4, 2022, including any revisions or successor publications.(e) Security feature means a feature of a device designed to provide security for that device.(f) Unauthorized access, destruction, use, modification, or disclosure means access, destruction, use, modification, or disclosure that is not authorized by the consumer.SEC. 4. Title 1.81.26 (commencing with Section 1798.91.04) of Part 4 of Division 3 of the Civil Code, as added by Section 1 of Chapter 886 of the Statutes of 2018, is repealed. |
|---|
| 14 | 25 | | |
|---|
| 15 | 26 | | LEGISLATIVE COUNSEL'S DIGEST |
|---|
| 16 | 27 | | |
|---|
| 17 | 28 | | ## LEGISLATIVE COUNSEL'S DIGEST |
|---|
| 18 | 29 | | |
|---|
| 19 | 30 | | AB 2392, Irwin. Information privacy: connected devices: labeling. |
|---|
| 20 | 31 | | |
|---|
| 21 | 32 | | Existing law requires a manufacturer of a connected device to equip the device with a reasonable security feature or features that are appropriate to the nature and function of the device, appropriate to the information it may collect, contain, or transmit, and designed to protect the device and information contained in the device from unauthorized access, destruction, use, modification, or disclosure.This bill would provide that a manufacturer of a connected device may elect to satisfy the above-described provisions by ensuring the connected device meets or exceeds the baseline product criteria of a labeling scheme that conforms to specified guidance published by the National Institute of Standards and Technology (NIST) for consumer Internet of Things (IoT) products, satisfies a conformity assessment as described by a NIST conforming labeling scheme, as specified, and bears the binary label as described by a NIST conforming labeling scheme.This bill would also make nonsubstantive changes that remove provisions redundant to the above-described existing provisions. |
|---|
| 22 | 33 | | |
|---|
| 23 | 34 | | Existing law requires a manufacturer of a connected device to equip the device with a reasonable security feature or features that are appropriate to the nature and function of the device, appropriate to the information it may collect, contain, or transmit, and designed to protect the device and information contained in the device from unauthorized access, destruction, use, modification, or disclosure. |
|---|
| 24 | 35 | | |
|---|
| 25 | 36 | | This bill would provide that a manufacturer of a connected device may elect to satisfy the above-described provisions by ensuring the connected device meets or exceeds the baseline product criteria of a labeling scheme that conforms to specified guidance published by the National Institute of Standards and Technology (NIST) for consumer Internet of Things (IoT) products, satisfies a conformity assessment as described by a NIST conforming labeling scheme, as specified, and bears the binary label as described by a NIST conforming labeling scheme. |
|---|
| 26 | 37 | | |
|---|
| 27 | 38 | | This bill would also make nonsubstantive changes that remove provisions redundant to the above-described existing provisions. |
|---|
| 28 | 39 | | |
|---|
| 29 | 40 | | ## Digest Key |
|---|
| 30 | 41 | | |
|---|
| 31 | 42 | | ## Bill Text |
|---|
| 32 | 43 | | |
|---|
| 33 | 44 | | The people of the State of California do enact as follows:SECTION 1. The Legislature finds and declares all of the following:(a) On May 12, 2021, President Joseph Biden issued the Executive Order on Improving the Nations Cybersecurity (E.O. 14028) directing the National Institute of Standards and Technology (NIST) to develop cybersecurity criteria and labeling approaches for consumer software and Internet of Things (IoT) products and then to initiate pilots based on those criteria.(b) On February 4, 2022, NIST published Recommended Criteria for Cybersecurity Labeling for Consumer Internet of Things (IoT) Products to fulfill the requirements of the Executive Order.(c) NISTs recommended criteria aim to identify key elements of labeling in terms of minimum recommendations and desirable attributes for use by a labeling scheme owner.(d) NIST decided against establishing its own labeling program in favor of allowing various schemes owned by various public or private sector organizations.SEC. 2. Section 1798.91.04 of the Civil Code, as added by Section 1 of Chapter 860 of the Statutes of 2018, is amended to read:1798.91.04. (a) A manufacturer of a connected device shall equip the device with a reasonable security feature or features that are all of the following:(1) Appropriate to the nature and function of the device.(2) Appropriate to the information it may collect, contain, or transmit.(3) Designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.(b) Subject to all of the requirements of subdivision (a), if a connected device is equipped with a means for authentication outside a local area network, it shall be deemed a reasonable security feature under subdivision (a) if either of the following requirements are met:(1) The preprogrammed password is unique to each device manufactured.(2) The device contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time.(c) A manufacturer of a connected device may elect to satisfy the requirements of subdivision (a) by ensuring the connected device does all of the following:(1) Meets or exceeds the baseline product criteria of a NIST conforming labeling scheme.(2) Satisfies a conformity assessment as described by a NIST conforming labeling scheme that includes a third-party test, inspection, or certification.(3) Bears the binary label as described by a NIST conforming labeling scheme.SEC. 3. Section 1798.91.05 of the Civil Code, as added by Section 1 of Chapter 860 of the Statutes of 2018, is amended to read:1798.91.05. For the purposes of this title, the following terms have the following meanings:(a) Authentication means a method of verifying the authority of a user, process, or device to access resources in an information system.(b) Connected device means any device, or other physical object that is capable of connecting to the internet, directly or indirectly, and that is assigned an internet protocol address or Bluetooth address.(c) Manufacturer means the person who manufactures, or contracts with another person to manufacture on the persons behalf, connected devices that are sold or offered for sale in California. For the purposes of this subdivision, a contract with another person to manufacture on the persons behalf does not include a contract only to purchase a connected device, or only to purchase and brand a connected device.(d) NIST conforming labeling scheme means a labeling scheme conforming to the Cybersecurity White Paper titled Recommended Criteria for Cybersecurity Labeling for Consumer Internet of Things (IoT) Products published by the National Institute of Standards and Technology (NIST) on February 4, 2022, including any revisions or successor publications.(e) Security feature means a feature of a device designed to provide security for that device.(f) Unauthorized access, destruction, use, modification, or disclosure means access, destruction, use, modification, or disclosure that is not authorized by the consumer.SEC. 4. Title 1.81.26 (commencing with Section 1798.91.04) of Part 4 of Division 3 of the Civil Code, as added by Section 1 of Chapter 886 of the Statutes of 2018, is repealed. |
|---|
| 34 | 45 | | |
|---|
| 35 | 46 | | The people of the State of California do enact as follows: |
|---|
| 36 | 47 | | |
|---|
| 37 | 48 | | ## The people of the State of California do enact as follows: |
|---|
| 38 | 49 | | |
|---|
| 39 | 50 | | SECTION 1. The Legislature finds and declares all of the following:(a) On May 12, 2021, President Joseph Biden issued the Executive Order on Improving the Nations Cybersecurity (E.O. 14028) directing the National Institute of Standards and Technology (NIST) to develop cybersecurity criteria and labeling approaches for consumer software and Internet of Things (IoT) products and then to initiate pilots based on those criteria.(b) On February 4, 2022, NIST published Recommended Criteria for Cybersecurity Labeling for Consumer Internet of Things (IoT) Products to fulfill the requirements of the Executive Order.(c) NISTs recommended criteria aim to identify key elements of labeling in terms of minimum recommendations and desirable attributes for use by a labeling scheme owner.(d) NIST decided against establishing its own labeling program in favor of allowing various schemes owned by various public or private sector organizations. |
|---|
| 40 | 51 | | |
|---|
| 41 | 52 | | SECTION 1. The Legislature finds and declares all of the following:(a) On May 12, 2021, President Joseph Biden issued the Executive Order on Improving the Nations Cybersecurity (E.O. 14028) directing the National Institute of Standards and Technology (NIST) to develop cybersecurity criteria and labeling approaches for consumer software and Internet of Things (IoT) products and then to initiate pilots based on those criteria.(b) On February 4, 2022, NIST published Recommended Criteria for Cybersecurity Labeling for Consumer Internet of Things (IoT) Products to fulfill the requirements of the Executive Order.(c) NISTs recommended criteria aim to identify key elements of labeling in terms of minimum recommendations and desirable attributes for use by a labeling scheme owner.(d) NIST decided against establishing its own labeling program in favor of allowing various schemes owned by various public or private sector organizations. |
|---|
| 42 | 53 | | |
|---|
| 43 | 54 | | SECTION 1. The Legislature finds and declares all of the following: |
|---|
| 44 | 55 | | |
|---|
| 45 | 56 | | ### SECTION 1. |
|---|
| 46 | 57 | | |
|---|
| 47 | 58 | | (a) On May 12, 2021, President Joseph Biden issued the Executive Order on Improving the Nations Cybersecurity (E.O. 14028) directing the National Institute of Standards and Technology (NIST) to develop cybersecurity criteria and labeling approaches for consumer software and Internet of Things (IoT) products and then to initiate pilots based on those criteria. |
|---|
| 48 | 59 | | |
|---|
| 49 | 60 | | (b) On February 4, 2022, NIST published Recommended Criteria for Cybersecurity Labeling for Consumer Internet of Things (IoT) Products to fulfill the requirements of the Executive Order. |
|---|
| 50 | 61 | | |
|---|
| 51 | 62 | | (c) NISTs recommended criteria aim to identify key elements of labeling in terms of minimum recommendations and desirable attributes for use by a labeling scheme owner. |
|---|
| 52 | 63 | | |
|---|
| 53 | 64 | | (d) NIST decided against establishing its own labeling program in favor of allowing various schemes owned by various public or private sector organizations. |
|---|
| 54 | 65 | | |
|---|
| 55 | 66 | | SEC. 2. Section 1798.91.04 of the Civil Code, as added by Section 1 of Chapter 860 of the Statutes of 2018, is amended to read:1798.91.04. (a) A manufacturer of a connected device shall equip the device with a reasonable security feature or features that are all of the following:(1) Appropriate to the nature and function of the device.(2) Appropriate to the information it may collect, contain, or transmit.(3) Designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.(b) Subject to all of the requirements of subdivision (a), if a connected device is equipped with a means for authentication outside a local area network, it shall be deemed a reasonable security feature under subdivision (a) if either of the following requirements are met:(1) The preprogrammed password is unique to each device manufactured.(2) The device contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time.(c) A manufacturer of a connected device may elect to satisfy the requirements of subdivision (a) by ensuring the connected device does all of the following:(1) Meets or exceeds the baseline product criteria of a NIST conforming labeling scheme.(2) Satisfies a conformity assessment as described by a NIST conforming labeling scheme that includes a third-party test, inspection, or certification.(3) Bears the binary label as described by a NIST conforming labeling scheme. |
|---|
| 56 | 67 | | |
|---|
| 57 | 68 | | SEC. 2. Section 1798.91.04 of the Civil Code, as added by Section 1 of Chapter 860 of the Statutes of 2018, is amended to read: |
|---|
| 58 | 69 | | |
|---|
| 59 | 70 | | ### SEC. 2. |
|---|
| 60 | 71 | | |
|---|
| 61 | 72 | | 1798.91.04. (a) A manufacturer of a connected device shall equip the device with a reasonable security feature or features that are all of the following:(1) Appropriate to the nature and function of the device.(2) Appropriate to the information it may collect, contain, or transmit.(3) Designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.(b) Subject to all of the requirements of subdivision (a), if a connected device is equipped with a means for authentication outside a local area network, it shall be deemed a reasonable security feature under subdivision (a) if either of the following requirements are met:(1) The preprogrammed password is unique to each device manufactured.(2) The device contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time.(c) A manufacturer of a connected device may elect to satisfy the requirements of subdivision (a) by ensuring the connected device does all of the following:(1) Meets or exceeds the baseline product criteria of a NIST conforming labeling scheme.(2) Satisfies a conformity assessment as described by a NIST conforming labeling scheme that includes a third-party test, inspection, or certification.(3) Bears the binary label as described by a NIST conforming labeling scheme. |
|---|
| 62 | 73 | | |
|---|
| 63 | 74 | | 1798.91.04. (a) A manufacturer of a connected device shall equip the device with a reasonable security feature or features that are all of the following:(1) Appropriate to the nature and function of the device.(2) Appropriate to the information it may collect, contain, or transmit.(3) Designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.(b) Subject to all of the requirements of subdivision (a), if a connected device is equipped with a means for authentication outside a local area network, it shall be deemed a reasonable security feature under subdivision (a) if either of the following requirements are met:(1) The preprogrammed password is unique to each device manufactured.(2) The device contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time.(c) A manufacturer of a connected device may elect to satisfy the requirements of subdivision (a) by ensuring the connected device does all of the following:(1) Meets or exceeds the baseline product criteria of a NIST conforming labeling scheme.(2) Satisfies a conformity assessment as described by a NIST conforming labeling scheme that includes a third-party test, inspection, or certification.(3) Bears the binary label as described by a NIST conforming labeling scheme. |
|---|
| 64 | 75 | | |
|---|
| 65 | 76 | | 1798.91.04. (a) A manufacturer of a connected device shall equip the device with a reasonable security feature or features that are all of the following:(1) Appropriate to the nature and function of the device.(2) Appropriate to the information it may collect, contain, or transmit.(3) Designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.(b) Subject to all of the requirements of subdivision (a), if a connected device is equipped with a means for authentication outside a local area network, it shall be deemed a reasonable security feature under subdivision (a) if either of the following requirements are met:(1) The preprogrammed password is unique to each device manufactured.(2) The device contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time.(c) A manufacturer of a connected device may elect to satisfy the requirements of subdivision (a) by ensuring the connected device does all of the following:(1) Meets or exceeds the baseline product criteria of a NIST conforming labeling scheme.(2) Satisfies a conformity assessment as described by a NIST conforming labeling scheme that includes a third-party test, inspection, or certification.(3) Bears the binary label as described by a NIST conforming labeling scheme. |
|---|
| 66 | 77 | | |
|---|
| 67 | 78 | | |
|---|
| 68 | 79 | | |
|---|
| 69 | 80 | | 1798.91.04. (a) A manufacturer of a connected device shall equip the device with a reasonable security feature or features that are all of the following: |
|---|
| 70 | 81 | | |
|---|
| 71 | 82 | | (1) Appropriate to the nature and function of the device. |
|---|
| 72 | 83 | | |
|---|
| 73 | 84 | | (2) Appropriate to the information it may collect, contain, or transmit. |
|---|
| 74 | 85 | | |
|---|
| 75 | 86 | | (3) Designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure. |
|---|
| 76 | 87 | | |
|---|
| 77 | 88 | | (b) Subject to all of the requirements of subdivision (a), if a connected device is equipped with a means for authentication outside a local area network, it shall be deemed a reasonable security feature under subdivision (a) if either of the following requirements are met: |
|---|
| 78 | 89 | | |
|---|
| 79 | 90 | | (1) The preprogrammed password is unique to each device manufactured. |
|---|
| 80 | 91 | | |
|---|
| 81 | 92 | | (2) The device contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time. |
|---|
| 82 | 93 | | |
|---|
| 83 | 94 | | (c) A manufacturer of a connected device may elect to satisfy the requirements of subdivision (a) by ensuring the connected device does all of the following: |
|---|
| 84 | 95 | | |
|---|
| 85 | 96 | | (1) Meets or exceeds the baseline product criteria of a NIST conforming labeling scheme. |
|---|
| 86 | 97 | | |
|---|
| 87 | 98 | | (2) Satisfies a conformity assessment as described by a NIST conforming labeling scheme that includes a third-party test, inspection, or certification. |
|---|
| 88 | 99 | | |
|---|
| 89 | 100 | | (3) Bears the binary label as described by a NIST conforming labeling scheme. |
|---|
| 90 | 101 | | |
|---|
| 91 | 102 | | SEC. 3. Section 1798.91.05 of the Civil Code, as added by Section 1 of Chapter 860 of the Statutes of 2018, is amended to read:1798.91.05. For the purposes of this title, the following terms have the following meanings:(a) Authentication means a method of verifying the authority of a user, process, or device to access resources in an information system.(b) Connected device means any device, or other physical object that is capable of connecting to the internet, directly or indirectly, and that is assigned an internet protocol address or Bluetooth address.(c) Manufacturer means the person who manufactures, or contracts with another person to manufacture on the persons behalf, connected devices that are sold or offered for sale in California. For the purposes of this subdivision, a contract with another person to manufacture on the persons behalf does not include a contract only to purchase a connected device, or only to purchase and brand a connected device.(d) NIST conforming labeling scheme means a labeling scheme conforming to the Cybersecurity White Paper titled Recommended Criteria for Cybersecurity Labeling for Consumer Internet of Things (IoT) Products published by the National Institute of Standards and Technology (NIST) on February 4, 2022, including any revisions or successor publications.(e) Security feature means a feature of a device designed to provide security for that device.(f) Unauthorized access, destruction, use, modification, or disclosure means access, destruction, use, modification, or disclosure that is not authorized by the consumer. |
|---|
| 92 | 103 | | |
|---|
| 93 | 104 | | SEC. 3. Section 1798.91.05 of the Civil Code, as added by Section 1 of Chapter 860 of the Statutes of 2018, is amended to read: |
|---|
| 94 | 105 | | |
|---|
| 95 | 106 | | ### SEC. 3. |
|---|
| 96 | 107 | | |
|---|
| 97 | 108 | | 1798.91.05. For the purposes of this title, the following terms have the following meanings:(a) Authentication means a method of verifying the authority of a user, process, or device to access resources in an information system.(b) Connected device means any device, or other physical object that is capable of connecting to the internet, directly or indirectly, and that is assigned an internet protocol address or Bluetooth address.(c) Manufacturer means the person who manufactures, or contracts with another person to manufacture on the persons behalf, connected devices that are sold or offered for sale in California. For the purposes of this subdivision, a contract with another person to manufacture on the persons behalf does not include a contract only to purchase a connected device, or only to purchase and brand a connected device.(d) NIST conforming labeling scheme means a labeling scheme conforming to the Cybersecurity White Paper titled Recommended Criteria for Cybersecurity Labeling for Consumer Internet of Things (IoT) Products published by the National Institute of Standards and Technology (NIST) on February 4, 2022, including any revisions or successor publications.(e) Security feature means a feature of a device designed to provide security for that device.(f) Unauthorized access, destruction, use, modification, or disclosure means access, destruction, use, modification, or disclosure that is not authorized by the consumer. |
|---|
| 98 | 109 | | |
|---|
| 99 | 110 | | 1798.91.05. For the purposes of this title, the following terms have the following meanings:(a) Authentication means a method of verifying the authority of a user, process, or device to access resources in an information system.(b) Connected device means any device, or other physical object that is capable of connecting to the internet, directly or indirectly, and that is assigned an internet protocol address or Bluetooth address.(c) Manufacturer means the person who manufactures, or contracts with another person to manufacture on the persons behalf, connected devices that are sold or offered for sale in California. For the purposes of this subdivision, a contract with another person to manufacture on the persons behalf does not include a contract only to purchase a connected device, or only to purchase and brand a connected device.(d) NIST conforming labeling scheme means a labeling scheme conforming to the Cybersecurity White Paper titled Recommended Criteria for Cybersecurity Labeling for Consumer Internet of Things (IoT) Products published by the National Institute of Standards and Technology (NIST) on February 4, 2022, including any revisions or successor publications.(e) Security feature means a feature of a device designed to provide security for that device.(f) Unauthorized access, destruction, use, modification, or disclosure means access, destruction, use, modification, or disclosure that is not authorized by the consumer. |
|---|
| 100 | 111 | | |
|---|
| 101 | 112 | | 1798.91.05. For the purposes of this title, the following terms have the following meanings:(a) Authentication means a method of verifying the authority of a user, process, or device to access resources in an information system.(b) Connected device means any device, or other physical object that is capable of connecting to the internet, directly or indirectly, and that is assigned an internet protocol address or Bluetooth address.(c) Manufacturer means the person who manufactures, or contracts with another person to manufacture on the persons behalf, connected devices that are sold or offered for sale in California. For the purposes of this subdivision, a contract with another person to manufacture on the persons behalf does not include a contract only to purchase a connected device, or only to purchase and brand a connected device.(d) NIST conforming labeling scheme means a labeling scheme conforming to the Cybersecurity White Paper titled Recommended Criteria for Cybersecurity Labeling for Consumer Internet of Things (IoT) Products published by the National Institute of Standards and Technology (NIST) on February 4, 2022, including any revisions or successor publications.(e) Security feature means a feature of a device designed to provide security for that device.(f) Unauthorized access, destruction, use, modification, or disclosure means access, destruction, use, modification, or disclosure that is not authorized by the consumer. |
|---|
| 102 | 113 | | |
|---|
| 103 | 114 | | |
|---|
| 104 | 115 | | |
|---|
| 105 | 116 | | 1798.91.05. For the purposes of this title, the following terms have the following meanings: |
|---|
| 106 | 117 | | |
|---|
| 107 | 118 | | (a) Authentication means a method of verifying the authority of a user, process, or device to access resources in an information system. |
|---|
| 108 | 119 | | |
|---|
| 109 | 120 | | (b) Connected device means any device, or other physical object that is capable of connecting to the internet, directly or indirectly, and that is assigned an internet protocol address or Bluetooth address. |
|---|
| 110 | 121 | | |
|---|
| 111 | 122 | | (c) Manufacturer means the person who manufactures, or contracts with another person to manufacture on the persons behalf, connected devices that are sold or offered for sale in California. For the purposes of this subdivision, a contract with another person to manufacture on the persons behalf does not include a contract only to purchase a connected device, or only to purchase and brand a connected device. |
|---|
| 112 | 123 | | |
|---|
| 113 | 124 | | (d) NIST conforming labeling scheme means a labeling scheme conforming to the Cybersecurity White Paper titled Recommended Criteria for Cybersecurity Labeling for Consumer Internet of Things (IoT) Products published by the National Institute of Standards and Technology (NIST) on February 4, 2022, including any revisions or successor publications. |
|---|
| 114 | 125 | | |
|---|
| 115 | 126 | | (e) Security feature means a feature of a device designed to provide security for that device. |
|---|
| 116 | 127 | | |
|---|
| 117 | 128 | | (f) Unauthorized access, destruction, use, modification, or disclosure means access, destruction, use, modification, or disclosure that is not authorized by the consumer. |
|---|
| 118 | 129 | | |
|---|
| 119 | 130 | | SEC. 4. Title 1.81.26 (commencing with Section 1798.91.04) of Part 4 of Division 3 of the Civil Code, as added by Section 1 of Chapter 886 of the Statutes of 2018, is repealed. |
|---|
| 120 | 131 | | |
|---|
| 121 | 132 | | SEC. 4. Title 1.81.26 (commencing with Section 1798.91.04) of Part 4 of Division 3 of the Civil Code, as added by Section 1 of Chapter 886 of the Statutes of 2018, is repealed. |
|---|
| 122 | 133 | | |
|---|
| 123 | 134 | | ### SEC. 4. |
|---|