Earlier this year, Oregon passed H.B. 2395 that requires “reasonable security features” on internet-connected devices. The new law, which takes effect on January 1, 2020, applies to “a person that makes a connected device and sells or offers to sell the connected device” in Oregon. “Connected device” means “any device or physical object that connects directly or indirectly to the Internet and is used primarily for personal, family or household purposes.” This may include devices such as baby monitors and home security cameras.
The law defines a “reasonable security feature” as:
- A means for authentication from outside a local area network, including:
- a preprogrammed password that is unique for each connected device; or
- a requirement that a user generate a new means of authentication before gaining access to the connected device for the first time; or
- Compliance with requirements of federal law or federal regulations that apply to security measures for connected devices.
In addition to the federal law compliance carve-out, the law exempts entities or persons that are subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and devices regulated by U.S. Food and Drug Administration.
Significantly, a covered manufacturer that fails to include reasonable security features engages in an unlawful trade practice under ORS 646.607. That means manufacturers that violate the law may face civil lawsuits and/or action by Oregon’s Attorney General.
The full text of the law is available here.
A similar law in California also takes effect on January 1, 2020.