The views expressed in this blog are those of the owner and do not reflect the views or opinions of the owner’s employer. All content provided on this blog is for informational purposes only. The owner of this blog makes no representations as to the accuracy or completeness of any information on this site or found by following any link on this site. The owner will not be liable for any errors or omissions in this information nor for the availability of this information. The owner will not be liable for any losses, injuries, or damages from the display or use of this information. This policy is subject to change at any time. The owner is not an attorney, and nothing posted on this site should be construed as legal advice. Litigation Support Tip of the Night does not provide confirmation that any e-discovery technique or conduct is compliant with legal, regulatory, contractual or ethical requirements.
Featured on the ACEDS blog.
Follow me on Twitter and see How-To Videos on my YouTube channel.
New tips for paralegals and litigation support profesionals are posted to this site each night. Click on the blog headings for better detail.
New California Law Restricts Use of Default Passwords
December 21, 2018
On January 1, 2020, California Senate Bill No. 327 will become effective. See Title 1.81.26 of Part 4 of Division 3 of the California Civil Code. The new law will restrict the use of default passwords in devices that connect to the internet. This is great step forward in enhancing the cyber security of the Internet of Things. The law specifically requires a manufacturer to, "equip the device with a reasonable security feature or features that are (1) appropriate to the nature and function of the device; (2) appropriate to the information it may collect, contain, or transmit, and (3) designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure, as specified." 1798.91.04. This leaves open the possibility that a device can be secured without a password such as by using universal 2nd factor authentication or other means.
Either a unique, pre-programmed password must be assigned to each device, or the device must require a user to generate a new means of authentication before he or she access it for the first time.
Notably the law does not create a private right of action and leaves enforcement to the State.