Bill Text

Bill Information

PDF |Add To My Favorites |Track Bill | print page

AB-1906 Business regulations: information privacy: connected devices: security features.(2017-2018)

SHARE THIS:share this bill in Facebookshare this bill in Twitter
Date Published: 06/11/2018 09:00 PM
AB1906:v96#DOCUMENT

Amended  IN  Senate  June 11, 2018
Amended  IN  Assembly  May 09, 2018
Amended  IN  Assembly  April 23, 2018

CALIFORNIA LEGISLATURE— 2017–2018 REGULAR SESSION

Assembly Bill No. 1906


Introduced by Assembly Member Irwin

January 22, 2018


An act to add Chapter 36 (commencing with Section 22948.30) to Division 8 of the Business and Professions Code, relating to business regulations.


LEGISLATIVE COUNSEL'S DIGEST


AB 1906, as amended, Irwin. Business regulations: information privacy: connected devices: security features.
Existing law requires a device that includes an integrated and enabled wireless access point and that is sold as new in California for use in a small office, home office, or residential setting to be manufactured to include certain security warnings or advisories about protection against unauthorized access. Existing law also prohibits a person or entity from providing for the operation of a voice recognition feature in California without prominently informing, during initial setup or installation of a connected television, either the user or person designated by the user to perform the initial setup or installation of the connected television.
This bill, beginning January 1, 2020, would would, with certain exceptions, require a manufacturer that sells or offers to sell person who manufactures, or contracts with another person to manufacture on the person’s behalf, a connected device that is sold or offered for sale in California California, to equip the connected device, as defined, with a reasonable security feature or features, appropriate to the nature and function of the device, designed to protect the device from unauthorized remote access or use. The bill would provide that equipping a connected device with a means for authentication outside a local area network is deemed a reasonable security feature, if the preprogrammed password is unique to each device manufactured or the device contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time. The bill would grant exclusive authority to enforce these provisions to the Attorney General, a city attorney, a county counsel, or a district attorney.
Vote: MAJORITY   Appropriation: NO   Fiscal Committee: NOYES   Local Program: NO  

The people of the State of California do enact as follows:


SECTION 1.

 Chapter 36 (commencing with Section 22948.30) is added to Division 8 of the Business and Professions Code, to read:
CHAPTER  36. Internet of Things Botnet Prevention Act

22948.30.
 For purposes of this chapter:
(a) “Authentication” means a method of verifying the authority of a user, process, or device to access resources in an information system.
(b) “Connected device” means any device, or other physical object that is capable of connecting to the Internet, directly or through a device, and that is assigned an Internet Protocol address.
(c) “Manufacturer” means the person who (1) physically manufactures, and (2) sells or offers to sell a connected device in California. manufactures, or contracts with another person to manufacture on the person’s behalf, connected devices that are sold or offered for sale in California. For the purposes of this subdivision, a contract with another person to manufacture on the person’s behalf does not include a contract only to purchase a connected device, or only to purchase and brand a connected device.
(d) “Security feature” means a feature of a device designed to provide security for that device.

22948.31.
 (a) A manufacturer shall equip the connected device with a reasonable security feature or features, appropriate to the nature and function of the device, designed to protect the device from unauthorized remote access or use.
(b) Equipping a connected device with a means for authentication outside a local area network shall be deemed a reasonable security feature under subdivision (a) if either:
(1) The preprogrammed password is unique to each device manufactured.
(2) The device contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time.
(c) This chapter shall not be construed to impose any duty upon the manufacturer of a connected device related to unauthorized software or applications that violate the terms of use of a connected device.
(d) This chapter shall not apply to any connected device whose functionality is subject to security requirements under federal law, regulations, or guidance promulgated by a federal agency pursuant to its regulatory enforcement authority.
(e) This chapter shall not be construed to provide a basis for a private right of action. The Attorney General, a city attorney, a county counsel, or a district attorney shall have the exclusive authority to enforce this chapter.
(f) This chapter shall become operative on January 1, 2020.