New California Law Restricts Use of Default Passwords
On January 1, 2020, California Senate Bill No. 327 will become effective. See Title 1.81.26 of Part 4 of Division 3 of the California Civil Code. The new law will restrict the use of default passwords in devices that connect to the internet. This is great step forward in enhancing the cyber security of the Internet of Things. The law specifically requires a manufacturer to, "equip the device with a reasonable security feature or features that are (1) appropriate to the nature and function of the device; (2) appropriate to the information it may collect, contain, or transmit, and (3) designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure, as specified." 1798.91.04. This leaves open the possibility that a device can be secured without a password such as by using universal 2nd factor authentication or other means.
Either a unique, pre-programmed password must be assigned to each device, or the device must require a user to generate a new means of authentication before he or she access it for the first time.
Notably the law does not create a private right of action and leaves enforcement to the State.