@kpinkham wrote:
No more "admin/admin" or "password/password". Enforcement and penalties are not mentioned.
https://techcrunch.com/2018/10/05/california-passes-law-that-bans-default-passwords-in-connected-dev...
You can read the bill itself here:
https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180SB327
From the bill:
"(d) This title shall not apply to any connected device the functionality of which is subject to security requirements under federal law, regulations, or guidance promulgated by a federal agency pursuant to its regulatory enforcement authority."
My interpretation: This law does not apply to any government systems or critical infrastructure systems that have legal or regulatory security mandates, such as FISMA or RMF or CSF.
"(e) This title shall not be construed to provide a basis for a private right of action. The Attorney General, a city attorney, a county counsel, or a district attorney shall have the exclusive authority to enforce this title."
My interpretation: (a) it is up to state or local prosecutors to enforce the law. It is not clear that they would do so by filing criminal charges or by civil suit, but I suspect the latter.
(b) no private or personal civil lawsuits can use this law as the basis for the suit.
