This paper examines law on the security of connected devices (hereinafter referred to as "IoT Security Law "), which is the California State Act enacted in September 2018 and will be enforced from January 2020. The IoT security law is the first state law to regulate the security of devices connected to the Internet (connected devices), and California is the first state in the country to enact IoT security law. This law is supposed to be added to Part 4 of the California People's Law, Section 4, which stipulates the obligation of the operator, but no penalty is placed when it violates it. While there is a discussion to evaluate this law as implementing security by design or privacy by design, this law adds only three articles to the Civil Code. Therefore, some doubts about ambiguity and the effsectiveness of regulation have also been pointed out.