Limited Time Offer: Save up to 20% on a new CIS SecureSuite Membership | Learn more
Why CIS Solutions Join CIS Resources
CIS WorkBench Sign-in CIS WorkBench Sign In CIS Hardened Images CIS Hardened Images Support CIS Support


Who We Are

CIS is an independent, nonprofit organization with a mission to create confidence in the connected world

About Us Leadership Principles Testimonials


secure your organization
Secure Your Organization

secure specific platforms
Secure Specific Platforms

cis securesuite CIS SecureSuite® Learn More      Apply Now  
u s state local tribal and territorial governments
U.S. State, Local, Tribal & Territorial Governments

View All Products & Services  

Join CIS

Get Involved

Join CIS as a member, partner, or volunteer - or explore our career opportunities

CIS SecureSuite® Membership Multi-State ISAC (MS-ISAC®) Elections Infrastructure ISAC (EI-ISAC®) CIS CyberMarket® Vendors CIS Communities Careers




filter by topic
Filter by Topic

View All Resources  
CIS Logo Show Search Expand Menu

Decoding “Reasonableness” Under California’s IoT Law

April 7, 2021


The law governing Internet of Things (IoT) devices in the United States (US) is rapidly evolving. From industry specific guidelines for connected medical devices and autonomous vehicles, to more general standards such as the Internet of Things Cybersecurity Improvement Act of 2020 (Federal IoT Law), state and federal level laws are quickly changing as it relates to IoT standards, introducing new challenges for emerging technologies and new use cases for manufacturers.

Much like other areas of the law, California has been a leader in developing standards around IoT devices. In 2017, California became the first state to adopt an IoT specific cybersecurity law known as the California Internet of Things Cybersecurity Improvement Act of 2017 (California IoT Law). Codified at California Civil Code § 1798.91.04, the California IoT Act took effect on January 1, 2020 and requires manufacturers of IoT devices to equip any IoT device they manufacture with a “reasonable security” feature or features that are: (1) appropriate to the nature and function of the device; (2) appropriate to the information the device may collect, contain, or transmit; and (3) designed to protect the device and any information contained on the device from unauthorized access, destruction, use, modification, or disclosure. Oregon passed a similar bill into law shortly thereafter.

What is a “reasonable security” feature for IoT devices, and how will this standard be interpreted by the courts? Is it a static standard, or is it dynamic based on the type of organization and data at issue? This article examines this question and attempts to shed light on the concept of “reasonableness” under the California IoT law through an examination of statutory language and how “reasonable security” has been interpreted in parallel areas of the law.