California was the first state to establish a cybersecurity law covering "smart" devices. The bill, SB-327 Information privacy: connected devices, was introduced in 2017 and passed in the state senate in August 2017.
Starting in January 2020, any manufacturer of a device that connects "directly or indirectly" to the internet must equip it with "reasonable" security features, designed to prevent unauthorized access, modification, or information disclosure.
(1) Appropriate to the nature and function of the device.
(2) Appropriate to the information it may collect, contain, or transmit.
(3) Designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.
Subject to all of the requirements of subdivision (a), if a connected device is equipped with a means for authentication outside a local area network, it shall be deemed a reasonable security feature under subdivision (b) if either of the following requirements are met:
(1) The preprogrammed password is unique to each device manufactured.
(2) The device contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time.
What does "reasonable" mean?
If someone can log into the device outside a LAN, then it must have either preprogrammed passwords that are unique to each device (so, no more default login credentials) or a way to generate new authentication credentials before accessing it for the first time.
Amatis Controls compliance with SB-327
Throughout our system we implement industry-standard security measures, leveraging its IPv6 backbone to stay up to date with the latest cybersecurity "best practices" and ensure compliance with the forthcoming IoT Laws (CA SB-317).
We partner with Cybeats who provide active monitoring for cyber security threats and also ensure we follow best practices. They are also able to generate reports for us that identify any vulnerabilities we may have not addressed.
The wireless communication used across our mesh network is called 6LoWireless, a robust protocol built for Amatis internet-connected devices. Amatis 6LoWireless is secure, encrypting all messages across the mesh network with AES 128-bit encryption.
Amatis App and Dashboard users can connect to their assigned lighting controls sites outside a LAN if the site Amatis Border Router (AMBR) device remains connected to the cloud.
Amatis App and Dashboard users are prompted to create individual accounts with unique passwords and the ability to change the password directly.
The Amatis API requires user authentication with 2-factor authentication available