Oregon Latest State to Require Reasonable Security for IoT Devices

Client Alert | 2 min read | 06.07.19

On May 30, 2019, Oregon became the most recent state to mandate basic security on internet-connected devices with Governor Kate Brown’s signature on H.B. 2395. Oregon’s new statute follows the model of several other states that have introduced or enacted laws requiring security for internet-connected devices. Similar to a California law passed in September 2018, Oregon’s law requires manufacturers of “connected devices” to equip such devices with “reasonable security features.” California and Oregon’s laws will both go into force on January 1, 2020.

Oregon’s law largely tracks California’s 2018 statute, though one key difference appears in its definition of “connected device.” Oregon limits the definition of “connected device” to “any device or physical object that connects directly or indirectly to the Internet and is used primarily for personal, family or household purposes.” In contrast, California’s law applies more broadly to “any device, or other physical object that is capable of connecting to the Internet, directly or indirectly, and that is assigned an Internet Protocol or Bluetooth address.”

Also notable is where Oregon followed California’s lead. Both laws describe “reasonable security features” as methods to protect a connected device that are “appropriate to the nature and function of the device” and the “information it may collect, contain or transmit” – despite criticisms that the definition is fraught with equal parts flexibility and uncertainty. Both also explicitly identify the following mechanisms for authentication from outside a local area network as “reasonable security features”:

A preprogrammed password that is unique for each connected device; or
A requirement that a user generate a new means of authentication before gaining access to the connected device for the first time.
Like California, Oregon generally carves out any security requirements imposed on connected devices by federal law or regulation, and separately explicitly exempt entities or persons that are subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
Other state legislatures currently considering similar security requirements for connected devices include Illinois (H.B. 3391), Maryland (S. 553/H.B. 1276), and New York (S.3975/A.B. 2229).

Contacts

Cheryl A. Falvey
Partner
- Washington, D.C.
  - D | +1.202.624.2675
Y2ZhbHZleUBjcm93ZWxsLmNvbQ==
Kate M. Growley
Partner, Crowell Global Advisors Senior Director
- Washington, D.C.
  - D | +1.202.624.2698
- Washington, D.C. (CGA)
  - D | +1 202.624.2500
a2dyb3dsZXlAY3Jvd2VsbC5jb20=

Insights

Client Alert | 5 min read | 12.12.25

Eleventh Circuit Hears Argument on False Claims Act Qui Tam Constitutionality

On the morning of December 12, 2025, the Eleventh Circuit heard argument in United States ex rel. Zafirov v. Florida Medical Associates, LLC, et al., No. 24-13581 (11th Cir. 2025). This case concerns the constitutionality of the False Claims Act (FCA) qui tam provisions and a groundbreaking September 2024 opinion in which the United States District Court for the Middle District of Florida held that the FCA’s qui tam provisions were unconstitutional under Article II. See United States ex rel. Zafirov v. Fla. Med. Assocs., LLC, 751 F. Supp. 3d 1293 (M.D. Fla. 2024). That decision, penned by District Judge Kathryn Kimball Mizelle, was the first success story for a legal theory that has been gaining steam ever since Justices Thomas, Barrett, and Kavanaugh indicated they would be willing to consider arguments about the constitutionality of the qui tam provisions in U.S. ex rel. Polansky v. Exec. Health Res., 599 U.S. 419 (2023). In her opinion, Judge Mizelle held (1) qui tam relators are officers of the U.S. who must be appointed under the Appointments Clause; and (2) historical practice treating qui tam and similar relators as less than “officers” for constitutional purposes was not enough to save the qui tam provisions from the fundamental Article II infirmity the court identified. That ruling was appealed and, after full briefing, including by the government and a bevy of amici, the litigants stepped up to the plate this morning for oral argument....

Client Alert | 8 min read | 12.11.25
Director Squires Revamps the Workings of the U.S. Patent Office
Client Alert | 8 min read | 12.10.25
Creativity You Can Use: CJEU Clarifies Copyright for Applied Art
Client Alert | 4 min read | 12.10.25
Federal Court Strikes Down Interior Order Suspending Wind Energy Development

View All Insights