Oregon Latest State to Require Reasonable Security for IoT Devices
Client Alert | 2 min read | 06.07.19
On May 30, 2019, Oregon became the most recent state to mandate basic security on internet-connected devices with Governor Kate Brown’s signature on H.B. 2395. Oregon’s new statute follows the model of several other states that have introduced or enacted laws requiring security for internet-connected devices. Similar to a California law passed in September 2018, Oregon’s law requires manufacturers of “connected devices” to equip such devices with “reasonable security features.” California and Oregon’s laws will both go into force on January 1, 2020.
Oregon’s law largely tracks California’s 2018 statute, though one key difference appears in its definition of “connected device.” Oregon limits the definition of “connected device” to “any device or physical object that connects directly or indirectly to the Internet and is used primarily for personal, family or household purposes.” In contrast, California’s law applies more broadly to “any device, or other physical object that is capable of connecting to the Internet, directly or indirectly, and that is assigned an Internet Protocol or Bluetooth address.”
Also notable is where Oregon followed California’s lead. Both laws describe “reasonable security features” as methods to protect a connected device that are “appropriate to the nature and function of the device” and the “information it may collect, contain or transmit” – despite criticisms that the definition is fraught with equal parts flexibility and uncertainty. Both also explicitly identify the following mechanisms for authentication from outside a local area network as “reasonable security features”:
- A preprogrammed password that is unique for each connected device; or
- A requirement that a user generate a new means of authentication before gaining access to the connected device for the first time.
Like California, Oregon generally carves out any security requirements imposed on connected devices by federal law or regulation, and separately explicitly exempt entities or persons that are subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
Other state legislatures currently considering similar security requirements for connected devices include Illinois (H.B. 3391), Maryland (S. 553/H.B. 1276), and New York (S.3975/A.B. 2229).
Contacts
Partner, Crowell Global Advisors Senior Director
- Washington, D.C.
- D | +1.202.624.2698
- Washington, D.C. (CGA)
- D | +1 202.624.2500
Insights
Client Alert | 3 min read | 11.21.25
On November 7, 2025, in Thornton v. National Academy of Sciences, No. 25-cv-2155, 2025 WL 3123732 (D.D.C. Nov. 7, 2025), the District Court for the District of Columbia dismissed a False Claims Act (FCA) retaliation complaint on the basis that the plaintiff’s allegations that he was fired after blowing the whistle on purported illegally discriminatory use of federal funding was not sufficient to support his FCA claim. This case appears to be one of the first filed, and subsequently dismissed, following Deputy Attorney General Todd Blanche’s announcement of the creation of the Civil Rights Fraud Initiative on May 19, 2025, which “strongly encourages” private individuals to file lawsuits under the FCA relating to purportedly discriminatory and illegal use of federal funding for diversity, equity, and inclusion (DEI) initiatives in violation of Executive Order 14173, Ending Illegal Discrimination and Restoring Merit-Based Opportunity (Jan. 21, 2025). In this case, the court dismissed the FCA retaliation claim and rejected the argument that an organization could violate the FCA merely by “engaging in discriminatory conduct while conducting a federally funded study.” The analysis in Thornton could be a sign of how forthcoming arguments of retaliation based on reporting allegedly fraudulent DEI activity will be analyzed in the future.
Client Alert | 3 min read | 11.20.25
Client Alert | 3 min read | 11.20.25
Client Alert | 6 min read | 11.19.25
