Home Internet of Things Aerospace Apparel Energy Defense Health Care Logistics Manufacturing Retail

Two New State IoT Laws Go Into Effect on Jan. 1

In 2020, manufacturers of Internet of Things devices will need to comply with new laws in California and Oregon.
By David Stauss, Bob Bowman and Malia Rogers

As with the California statute, Oregon's law requires manufacturers to equip connected devices with "reasonable security features." The law defines that term to mean "methods to protect a connected device, and any information the connected device stores, from unauthorized access, destruction, use, modification or disclosure that are appropriate for the nature and function of the connected device and for the type of information the connected device may collect, store or transmit."

A reasonable security feature "may consist of" a means for authentication from outside a local area network, including a "preprogrammed password that is unique for each connected device" or a "requirement that a user generate a new means of authentication before gaining access to the connected device for the first time." The law also provides that a reasonable security feature may consist of "compliance with requirements of federal law or federal regulations that apply to security measures for connected devices."

The law contains a number of exclusions, including for entities subject to Health Insurance Portability and Accountability Act (HIPAA) "with respect to any action that [HIPAA] regulates" and a "connected device, the functions of which are subject to and comply with the requirements, regulations and guidance that the United States Food and Drug Administration promulgates under 21 C.F.R. parts 800 to 1299 or other requirements, regulations and guidance the United States Food and Drug Administration promulgates with respect to medical devices, including software as a medical device."

With approximately two months to go until these new laws go into effect, entities subject to them should be reviewing these laws and taking steps to ensure that they are in compliance.

David M. Stauss is a partner at Husch Blackwell LLP and a co-leader of the firm's privacy and data security practice group. David regularly assists clients in preparing for and responding to data security incidents, including managing multi-state breach notifications. He also regularly counsels clients on complying with existing and emerging privacy and information security laws, including the European Union's General Data Protection Regulation (GDPR), the California Consumer Privacy Act of 2018 (CCPA), and state information security statutes. He can be reached at david.stauss@huschblackwell.com.

Robert J. Bowman is a Denver-based partner in Husch Blackwell's Technology, Manufacturing & Transportation industry group and a co-leader of the firm's internet of things team. He can be reached at bob.bowman@huschblackwell.com.

Malia Rogers is an attorney in Husch Blackwell LLP's Denver office and assists clients on emerging data privacy issues.

Login and post your comment!

Not a member?

Signup for an account now to access all of the features of RFIDJournal.com!

Case Studies Features Best Practices How-Tos
Live Events Virtual Events Webinars
Simply enter a question for our experts.
RFID Journal LIVE! RFID in Health Care LIVE! LatAm LIVE! Brasil LIVE! Europe RFID Connect Virtual Events RFID Journal Awards Webinars Presentations