Date: Oct 17, 2018
Security measures must be appropriate to the nature and function of the device and the information they collect, contain, or transmit. "Reasonable security," while a somewhat general and vague term, has been referenced by the Federal Trade Commission (FTC), the National Institute of Standards and Technology (NIST), and others. It denotes a flexible, process-oriented standard that avoids specific "one-size-fits-all" criteria that could stifle innovation. For devices that are authenticated outside a local area network, the law requires that the device must either contain a unique preprogrammed password or require users to create a new password before first-time use to establish reasonable security. These requirements, while more specific as elements of a "reasonable security" approach, are more generally accepted from a password management standard, recognizing that consumers often choose simple, easy-to-guess passwords or adopt common passwords across sites and services that, if compromised, could put much more of their personal information at risk.