The UK Government has published new “groundbreaking” rules to protect our smart devices from an increased cyber threat, including large fines for non-compliance.
From the smart TVs that many of us have in our homes, to egg trays that tell you when your eggs are off, an increasing number of consumer products are incorporating internet connectivity (known as consumer connectable products). This has inevitably raised safety concerns, as these products could potentially provide an easy route into consumers’ lives for would-be malicious parties (especially as they are often not as security focused as more traditional smart devices such as laptops).
This is not a new concern. In October 2018, the Government published a Code of Practice for Consumer IoT Security (the Code of Practice). In April 2021, it announced plans to protect consumers in relation to their connectable products (as discussed previously on the Lens blog), followed last week (26 November) by the Product Security and Telecommunications Infrastructure Bill. So is the bill as “groundbreaking” as promised? The Government states that the aim of the bill is to improve compliance by putting part of the Code of Practice on a statutory footing. As a result, some of the proposals do not appear to be that new. However, in proposing legislation, the Government adds the stick of enforcement (including criminal sanctions and GDPR-style fines) to the requirements. The bill also does more to clarify aspects of the previous proposals.
Scope of products
The bill applies to any relevant connectable product that is made available to consumers in the UK, and which has not already been supplied to any customer (in the world) before (as clarified in the Explanatory Note, this means the bill does not apply to “used”, or second-hand products). Relevant connectable products include those which can connect to the internet or other networks to transmit and receive digital data, subject to exclusions under other regulations. It is interesting that this currently includes computers, despite previous indications from the Government that these would be excluded.
Summary of Obligations
The bill imposes certain obligations on “manufacturers”, who include organisations that market a product under their own name or trade mark (even if they do not actually manufacture the product) as well as those who manufacture or design products. It also puts broadly similar obligations on “importers” and “distributors”, albeit not identical ones.
These include certain product security obligations. However, the bill does not set out these security obligations, and instead gives the Secretary of State for the Department for Digital, Culture, Media and Sport the power to set these requirements under future regulations. According to the Explanatory Note, it is intended for any such requirements to reflect the standards in the Government’s 2018 Code of Practice (as discussed in a previous Lens blog). It confirms that “[t]hese new statutory security obligations will include a ban on the use of default passwords, a requirement for manufacturers to manage the reporting of security vulnerabilities and a requirement for consumers to be told at the point of sale the minimum period of time that the product will receive security updates.”
In addition to the security requirements, the bill imposes further obligations on the various supply chain parties. They will have to accompany any relevant products with a statement of compliance or a summary of that statement. They will also, once they are informed of the existence (or reasonable possibility) of any security requirement compliance failure, have to:
- take all reasonable steps to investigate it;
- prevent the product from being made available in the UK and/or remedy the failure; and
- notify the enforcement agency, any other relevant manufacturers, importers or distributors, and if requested by (and on the terms set by) the Secretary of State, any UK customer who has been supplied the product; and
- maintain records of all of the above.
The Government has kept many of the previously proposed enforcement options, but clarified that these will be enforced by the Secretary of State. These options range from stop and recall notices (with non-compliance to be a criminal offence), to GDPR-style fines (the greater of £10 million or 4% of worldwide revenue in respect of each breach).
It is important to note that this bill is only at its second reading, and therefore changes could be made as it passes through the legislative process. However, clearly the Government is hoping to introduce wide-ranging obligations on the supply chain in relation to consumer connected products in an effort to improve their security.