A few days ago, California passed the first U.S. information security law specifically targeting the Internet of Things (or IoT). We wrote about the law, SB-327, about a year ago when it first passed. SB-327 has gotten relatively little press compared to California’s other pioneering data protection statute, the California Consumer Privacy Act. But when it comes to buying devices from China, SB-327 can have a much broader effect for U.S.-based companies.
For a refresher, SB-327 took effect on January 1, 2020. It requires manufacturers of connected devices — essentially, IoT devices — to be equipped with “reasonable” security measures. These security measures are poorly defined, but generally they must be appropriate for the nature of the devices and for the information they collect and contain and they must be designed to protect the devices from unauthorized access, destruction, use, modification, or disclosure. SB-327 also requires devices that can be accessed outside of a local area network be equipped with either a unique password or allow its users to generate their own password.
SB-327 applies to any business that manufactures — either itself or through a contracting third party — qualifying devices that will be sold or offered for sale in California. Crucially, there is no threshold number for product sales in California. Consequently, pretty much any manufacturer, anywhere, can be subject to SB-327.
This all seems relatively simple, if a little costly. And for companies buying IoT-equipped chips or devices from manufacturers in most places in the world, it probably is not so challenging. But all that goes out the window with China.
If your company is buying IoT-equipped chips or devices from China for use in products made in California, chances are that you cannot trust that the IoT chips comply with California law. You should ask yourself (or your lawyer) these basic questions:
- Is the manufacturer promising that the products comply with California’s new requirement?
- Will the manufacturer tell me how the product complies with California law?
- Have we verified that all of the manufacturer’s specifications and representations about their compliance with U.S. laws are correct?
- Have we thoroughly tested the product to ensure that there are no vulnerabilities that would allow access to information on the device by persons outside the U.S.?
If the answer to any of these questions is “no”, or even just “we don’t know” or “maybe”, that’s a bad sign. The bottom line is, do you (or even can you) trust your China-based IoT chip manufacturer? Do you think that their word is good enough to bet on in a lawsuit by the California Attorney General? As experienced China lawyers, we can tell you that it is the rare overseas manufacturer who has any clue about foreign country product requirements so the odds that your Chinese or Vietnamese or Thai or Indonesian or Mexican or knows California’s brand new IoT requirements are close to zero. In other words, it’s going to be up to you.
These questions are critical because, again, your company could face liability if it incorporates non-compliant technology from overseas manufactured IoT chips into a product in California. And knowing how aggressive the California Attorney General is, our California lawyers are just waiting for this to happen.