Two years ago, we published a series of posts about the cannabis industry’s embrace of the Internet of Things (“IoT”)—the network of physical objects connected through the Internet—for use in everything from garden sensors to dispensers. In that same series, we also discussed some of the potential legal risks and ramifications of using the IoT in the cannabis business—particularly some of the privacy and security risks inherent in the IoT.
Just last week, California Governor Jerry Brown approved of SB-327, the first information security law in the U.S. specifically targeting the IoT. SB-327 takes effect on January 1, 2020, and will require manufacturers of connected devices—essentially, devices in the IoT—to equip them with “reasonable” security measures. These security measures must be appropriate to the nature of the devices and information they collect and contain, and must be designed to protect the devices from unauthorized access, destruction, use, modification, or disclosure. SB-327 also requires devices that can be accessed outside of a local area network either to be equipped with a unique password or to allow a user to generate its own password.
It’s important to emphasize that SB-327 does not impose any requirements on users of IoT devices, but rather to manufacturers. So, for many businesses in the cannabis space that rely on the IoT, no real changes in operations may be necessary. Both plant-touching and ancillary marijuana companies that manufacture qualifying devices, on the other hand, may need to re-do or even re-invent their products.
It’s also important to note that the law applies to more than just California manufacturers. It applies so long as a business manufactures—either itself or through a contracting third party—qualifying devices that will be sold or offered for sale in California. Crucially, there is no threshold for product sales in California. Consequently, any manufacturer, anywhere, could be subject to SB-327.
Complying with SB-327 may be as simple as assigning randomly generated passwords to each device or re-tooling software or firmware to provide more robust security protection. But for some manufacturers—especially of devices that gather or contain sensitive information—compliance may be more involved and may require a ground-up reinvention. Consultation with counsel is always the best step towards compliance.