FEW EVENTS HAVE RESHAPED the business landscape more than the EU’s General Data Protection Regulation (GDPR), which enacted strict rules, regulations, and penalties for organizations handling data that touches European citizens. Next year, however, all eyes will be on California’s new law, Security of Connected Devices, which will require manufacturers to include “reasonable” security features in Internet of Things (IoT) devices starting in 2020. The law addresses issues such as authentication and device use, as well as modification and destruction of devices and data.
For VARs, systems integrators, and others, the stakes couldn’t be higher. Businesses are increasingly on the hook for operating IT systems that lock down data security and privacy. Lapses can result in fines and other penalties—including reputational damage. “Society is beginning to wake up to the fact that interconnected devices must have adequate security and privacy protections,” declares Lisa R. Lifshitz, a partner at the law firm of Torkin Manes in Toronto.
What’s more, as concerns about security vulnerabilities and data privacy grow, the likelihood of additional regulation is high. “We should anticipate more regulations as potential abuses are exposed,” says Jack Knocke, president of IoT Advisor Group, a business and IoT consultancy. “As organizations capture more data, regulators have become more aware of how technology is generating new types of data that require specific regulation on capture, storage, combination, and sharing.”
California Setting a Baseline
California’s foray into IoT security and privacy is clearly a harbinger of things to come. The state yields enormous power—it represents about 14 percent of the U.S. GDP—and actions it takes frequently ripple out across the country … and beyond. California’s law “essentially establishes a baseline for the rest of the U.S. and even other countries,” Lifshitz points out. “We live in a global interconnected economy and, in general, it’s easier and less costly to comply to the California statute than to create multiple approaches and systems for different places.”
Meanwhile, Lifshitz says, other countries, states, and provinces are enacting or looking into stricter data privacy standards and laws. In Canada, for example, businesses are bound by a national data consent and breach notification law, The Personal Information Protection and Electronic Documents Act (PIPEDA). Some provinces, such as Alberta, have passed additional measures. “It’s important to not pull the wool over your eyes because the place where the law is enacted isn’t where you do business. These regulations hold everyone to a higher standard,” Lifshitz explains.