Decoding “Reasonableness” Under California’s IoT Law

April 7, 2021


The law governing Internet of Things (IoT) devices in the United States (US) is rapidly evolving. From industry specific guidelines for connected medical devices and autonomous vehicles, to more general standards such as the Internet of Things Cybersecurity Improvement Act of 2020 (Federal IoT Law), state and federal level laws are quickly changing as it relates to IoT standards, introducing new challenges for emerging technologies and new use cases for manufacturers.

Much like other areas of the law, California has been a leader in developing standards around IoT devices. In 2017, California became the first state to adopt an IoT specific cybersecurity law known as the California Internet of Things Cybersecurity Improvement Act of 2017 (California IoT Law). Codified at California Civil Code § 1798.91.04, the California IoT Act took effect on January 1, 2020 and requires manufacturers of IoT devices to equip any IoT device they manufacture with a “reasonable security” feature or features that are: (1) appropriate to the nature and function of the device; (2) appropriate to the information the device may collect, contain, or transmit; and (3) designed to protect the device and any information contained on the device from unauthorized access, destruction, use, modification, or disclosure. Oregon passed a similar bill into law shortly thereafter.

What is a “reasonable security” feature for IoT devices, and how will this standard be interpreted by the courts? Is it a static standard, or is it dynamic based on the type of organization and data at issue? This article examines this question and attempts to shed light on the concept of “reasonableness” under the California IoT law through an examination of statutory language and how “reasonable security” has been interpreted in parallel areas of the law.