ORS 646A.813¹
Security requirements for Internet-connected devices
  • exemptions
  • penalty

(1) As used in this section:

(a) “Connected device” means a device or other physical object that:

(A) Connects, directly or indirectly, to the Internet and is used primarily for personal, family or household purposes; and

(B) Is assigned an Internet Protocol address or another address or number that identifies the connected device for the purpose of making a short-range wireless connection to another device.

(b) “Manufacturer” means a person that makes a connected device and sells or offers to sell the connected device in this state.

(c) “Reasonable security features” means methods to protect a connected device, and any information the connected device stores, from unauthorized access, destruction, use, modification or disclosure that are appropriate for the nature and function of the connected device and for the type of information the connected device may collect, store or transmit.

(2) A manufacturer shall equip a connected device with reasonable security features. A reasonable security feature may consist of:

(a) A means for authentication from outside a local area network, including:

(A) A preprogrammed password that is unique for each connected device; or

(B) A requirement that a user generate a new means of authentication before gaining access to the connected device for the first time; or

(b) Compliance with requirements of federal law or federal regulations that apply to security measures for connected devices.

(3) This section does not:

(a) Require a provider of an electronic store, gateway, marketplace or other means for purchasing or downloading software or firmware to verify or enforce compliance with the provisions of this section.

(b) Require a person to prevent a consumer from having or obtaining full control over a connected device, including the ability to modify the connected device or any software or firmware installed on the connected device.

(c) Limit the authority of a law enforcement officer or law enforcement agency to obtain information from a manufacturer as provided by law or authorized in an order from a court of competent jurisdiction.

(d) Impose a duty on a manufacturer to provide reasonable security features for software, firmware or peripheral devices that another manufacturer makes and that a consumer installs in or adds to the connected device.

(4) This section does not apply to:

(a) A connected device on which a consumer installs or otherwise adds software or other devices that the manufacturer of the connected device does not approve for use with the connected device or that damages, evades, disables or otherwise modifies the reasonable security features that a manufacturer incorporates into the connected device.

(b) A covered entity, a health care provider, a business associate, a health care service plan, a contractor, an employer or another person that is subject to the Health Insurance Portability and Accountability Act of 1996 (P.L. 104-191, 110 Stat. 1936) or regulations promulgated under the Act, with respect to any action that the Act regulates.

(c) A connected device, the functions of which are subject to and comply with the requirements, regulations and guidance that the United States Food and Drug Administration promulgates under 21 C.F.R. parts 800 to 1299 or other requirements, regulations and guidance the United States Food and Drug Administration promulgates with respect to medical devices, including software as a medical device.

(5) The duties and obligations that this section imposes are in addition to and not in lieu of any other duties and obligations imposed under other applicable law and do not relieve any person from the person’s duties and obligations under any other applicable law.

(6) A manufacturer that violates subsection (2) of this section engages in an unlawful trade practice under ORS 646.607 (Unlawful business, trade practices). [2019 c.193 §1]


Law Review Cita­tions

52 WLR 451 (2016)

(formerly 646.315 to 646.375)

Notes of Decisions

Where purchaser fails to provide notice of condi­tion requiring repair, presump­tion does not arise that repair time exceeding 30 business days demonstrates inability of manufacturer to conform vehicle. Pavel v. Winnebago Industries, Inc., 127 Or App 16, 870 P2d 856 (1994)

Repair time exceeding 30 business days as evidence of inability to conform vehicle applies only to presently existing defect. Pavel v. Winnebago Industries, Inc., 127 Or App 16, 870 P2d 856 (1994)

Law Review Cita­tions

19 WLR 329 (1983)

1 Legislative Counsel Committee, CHAPTER 646A—Trade Regulation, https://­www.­oregonlegislature.­gov/­bills_laws/­ors/­ors646A.­html (2019) (last ac­cessed May 16, 2020).
2 Legislative Counsel Committee, Annotations to the Oregon Revised Stat­utes, Cumulative Supplement - 2019, Chapter 646A, https://­www.­oregonlegislature.­gov/­bills_laws/­ors/­ano646A.­html (2019) (last ac­cessed May 16, 2020).
3 OregonLaws.org assembles these lists by analyzing references between Sections. Each listed item refers back to the current Section in its own text. The result reveals relationships in the code that may not have otherwise been apparent. Currency Information