As internet-connected devices are getting more and more popular, lawmakers are looking at new ways to help protect consumers — and ensure their data isn’t being put at risk by the companies that hold it.
At the federal level, there have been a number of attempts to add regulations that would protect owners of internet of things devices. The Cybersecurity Improvement Act of 2019, introduced last month by Senator Mark Warner of Virginia, would create new requirements for internet-connected devices. The details of the bill are a bit sparse, but it would require the National Institute of Standards and Technology to develop new recommendations for device makers to follow. Those rules would aim to shore up some of the cybersecurity shortcomings that currently plague internet-connected devices, like easy-to-guess default passwords that put millions of products and the households that have them at risk.
“The IoT Cybersecurity Improvement Act attempts to … provide light-touch guidance and security requirements for IoT devices to protect the industry and ultimately the consumer,” wrote North Carolina Rep. Ted Budd, a co-sponsor.
A number of states have gone a step further than the federal law, actually creating specific rules that device makers would have to follow. California, often a leader in digital privacy policy, passed a bill regulating internet of things devices in 2018. Set to go into effect on January 1, 2020, the law will require companies to include “reasonable” security features on their products. That includes requiring shipping devices with unique passwords or forcing users to set passwords when they set up the device.
From Internet connected watches to Internet connected thermostats, as the Internet of Things is integrated into our most private areas, consumers should have the assurance that these devices are secure and fend off unwanted intrusion. #orpol #orleg https://t.co/dtH4OvXxG3
— Jennifer Williamson (@Jennifer_for_OR) April 16, 2019
In Oregon, lawmakers are pursuing a similar path. The state’s House of Representatives recently passed a bill that will require each smart device sold in the state to come with a unique password. The extremely simple requirement is one of the easiest ways to mitigate brute force attacks, in which hackers are able to crack the protection on devices because they use a default password that owners often opt not to change. Hackers can then set up botnets and other attacks that can target many devices at once.
Oregon’s law would also require device manufacturers to follow any federal laws that are passed if they implement stricter requirements than the state’s own laws.
