While right-to-repair (RTR) laws have been championed by consumer advocates, legislation tracking across dozens of U.S. states is still giving the security industry some heartburn.
The Alarm Industry Communications Committee (AICC), an arm of The Monitoring Association, continues to be concerned about RTR legislation compromising alarm systems by requiring the disclosure of lockout codes, passwords, system design schematics or other information to customers and third-party contractors attempting their own repairs.
The security industry did score a legal victory in New York state, where the Fair Repair Act passed in December – mostly crafted via a template from the Repair Association -- was amended by lawmakers to include exemptions for security devices.
What New York Changed
Some observers believe the “chapter amendments” approved in New York could play a key role in RTR laws being drafted in other states since New York is a major market. Here is a rundown of the key amendments to the New York Act:
* Creation of “home” security devices and alarm system exemption. No original equipment manufacturer or authorized repair provider would be required to make parts, tools or repair documents of home appliances available if they have a “digital electronic product embedded” inside. Security devices or alarm systems, including any related software and components, are exempted.
* Exemption for commercial alarm systems. The amendment says this applies to “any product solder under a specific business-to-government or business-to-business contract, which is not otherwise offered for sale directly by a retail seller.”
* Deletion of the requirement to disclose security codes and passwords. The amendments eliminated requirements to provide security codes and passwords. But the act still requires non-exempt entities to provide manuals, diagrams, reporting outputs, service code descriptions, schematic diagrams, or “similar kinds of information,” but only if they are “required for” diagnosis and repair.
* Grandfathering: If any alarm equipment is not exempt, the definition of “digital electronic equipment” grandfathers equipment manufactured for the first time, and first sold or used in New York on or after July 1, 2023. “This grandfathering shrinks the scope of the problem considerably and would give any affected (non-exempt) alarm manufacturer or provider until July 1 to shore up any exposures in its repair/maintenance procedures and documentation for any equipment that may arguably still fall within the requirements of the Act,” the AICC said in March memo.
* Definition of a part. The amendments clarify that “part” does not include printed board assemblies, which could allow illegal device cloning.
Other amendments protect not only trade secrets from disclosure but also “intellectual property. And the law allows manufacturers to protect themselves by sending assembled devices, rather than individual component parts, for repair use.The National Picture
Although New York’s amended law is seen as a victory for security advocates, RTR legislation is making its way across the U.S. and it does not appear concerns about security issues are being taken up by lawmakers. Several states have used the Repair Association’s template as a basis for their bill. To date, some 40 states have explored such legislation in the last decade, and two dozen of them are actively considering bills this year, according to the Repair Association’s website.
The Security Industry Association says a total of 80 RTR bills have been filed across the U.S. at the state level this year, and none of the bills include security exemptions.
“We have seen substantial success tabling these measures this year in a long list of states including Virginia, Hawaii, Georgia and Montana, but a majority of right-to-repair bills that are still alive remain as introduced and are still a grave concern for the industry,” says Colby Williams, associate director of government relations for the Security Industry Association.
“SIA will continue to work with industry leaders, allied organizations and lawmakers across the country to address the risks posed by right-to-repair legislation that does not adequately address our security and life safety concerns.”
John A. Prendergast, a Washington D.C. attorney who provides counsel to AICC, says bills in Ohio, Minnesota and Washington are pushing forward, and lawmakers may vote on the Minnesota bill soon.
“It appears most states introducing Right to Repair legislation have not included a security/alarm exception, for the simple reason that the need for such exception simply did not occur to them,” Prendergast says.
Serious Risks
AICC and other industry members are trying to educate relevant state and federal lawmakers that if security codes, passwords, system schematics and other information for alarm systems are made available to the public -- however well-intentioned, “this information will inevitably find its way to those that would use it to defeat alarm services,” Prendergast notes.
Bad actors could use the information to disable the alarm systems at businesses or homes, or devices intended for personal safety to prevent stalking. Even critical infrastructure could fall risk to terrorism through an alarm system being disarmed, he says.
“While we understand this is a complex issue being pushed with the best of intentions, these bills have drastic unintended consequences and compromise the safety and security of individuals and businesses which rely on electronic security systems,” William says. “SIA and our member companies have and will continue to engage in any state where broad right-to-repair legislation is being proposed by educating elected officials on the safety and security risks, as well as advocating for legislative amendments to clearly exclude security and life safety devices from any right-to-repair provisions.”
Gay Gordon-Byrne, executive director of the Repair Association, described the changes to New York’s RTR law as “pure politics” and noted the association’s legislative template had been used more than 100 times in 43 states. She says the alarm industry had not provided examples of how businesses might be impacted until this year.
“We have since learned from a professional fire alarm supplier in another state that in many cases, the service providers such as ADT are the equipment owners and lease the hardware as part of a package. Thus, as owners and not OEMS -- they aren’t required to provide repair service materials,” Gordon-Byrne said. “Additionally, many local building codes or state laws require that repairs be made only by providers that are licensed or have some other form of official qualification -- further reducing the instance of unqualified people gaining access to repair materials. We have added appropriate language making the code requirements clear.”
From a cybersecurity standpoint, Gordon-Byrne added, “There is no connection between design for repair and design for cyber risk. OEMs would not provide cybersecurity back doors or holes in their repair documentation because that information would be available worldwide in a nanosecond.
“We’re very interested in making sure that security alarms remain secure for their owner’s benefit, not for the OEMs.”
Federal Bill Coming?
Both Prendergast and Williams said they are monitoring rumors of a federal bill resurfacing this year after national legislation introduced in 2021 did not advance.
The Fair Repair Act introduced that year by U.S. Rep. Joe Morelle would have required OEMs to make diagnostic, maintenance and repair equipment available to independent repair providers. Two other proposed laws dealt mostly with the automotive industry.
Williams said SIA has “already started having conversations with several members of Congress to get ahead of any potential federal legislation.”
The right-to-repair movement has also gained traction on a federal level. Last month, attorney generals from 28 states sent a letter to the U.S. House Energy and Commerce Committee and Senate Committee on Commerce, Science and Transportation urging them to increase efforts to pass RTR legislation.
“The Right-to-Repair is a bipartisan issue that impacts every consumer, household and farm in a time of increasing inflation,” the March 30 letter said. “It is about ensuring that consumers have choices as to who, where, when, and at what cost their vehicles can be repaired.
“Manufacturing of automobiles, digital devices and agricultural equipment is increasingly becoming more technologically advanced and built with more embedded electronics. OEMs often control access to these electronic parts, creating unfair restraint of trade and a monopoly on repair. This can harm consumers directly by driving up prices and is antithetical to a free market.”
John Dobberstein is the managing editor of SecurityInfoWatch.com and oversees all content creation for the website. Dobberstein continues a 34-year decorated journalism career that has included stops at various newspapers and B2B magazines.