New rules on security of connected devices

What's the issue?

Connected devices have become increasingly prevalent in recent years and 'smart' homes are becoming a reality. However, the security standards of many of these products have not been regulated to date. 

Many are supplied with default, easy to guess passwords which has allowed hackers to infiltrate systems and left personal data exposed.  This security gap is often cited as a barrier to growth of IoT devices.

What's the development?

The Product Security and Telecommunications Infrastructure Bill was introduced to Parliament just before Christmas. 

Part 1 will govern the security of consumer connectable devices (and in some cases, to connected devices used by businesses).  Part 2 is intended to speed up the roll out of faster and more reliable broadband and mobile networks by making it easier for operators to upgrade and share infrastructure, and is outside the scope of this article.

The PTSI will apply across the supply chain from manufacturers, to importers, distributors and retailers (both on and offline). It will cover newly available connectable products made available in the UK. 

This includes all devices which can access the internet and products which can connect to multiple other devices but not directly to the internet (such as smart light bulbs, smart thermostats and wearable fitness trackers).  Exceptions will be made for products governed by other legislation, for example, medical devices and smart meters.

The PTSI will give the government the power to bring in tougher security standards for device makers which are likely to include:

• a ban on 'easy-to-guess' default passwords pre-loaded on new devices - all passwords will need to be unique and not resettable to a universal factory setting
• a requirement for connectable product manufacturers to tell customers at point of sale, and keep them updated, about the minimum amount of time a product will receive security updates and patches. If none, then that must be clear
• a requirement on manufacturers to provide a public point of contact for reporting of security flaws and bugs.

In-scope businesses will be required to produce statements of compliance, investigate and act on compliance failures, and maintain related records.

The new regime will be overseen by a yet to be designated regulator who will have the power to fine companies up to £10m or 4% of annual global revenue, as well as up to £20,000 per day for non-compliance.  Businesses will have a year to comply once the law is in force.

What does this mean for you?

As currently drafted, the PTSI will enhance the security of a wide range of internet and network connected devices, impacting the entire supply chain and introducing substantial penalties for non-compliance.

The security standards with which devices will need to comply will be set out in secondary legislation, so what, exactly, will be expected remains to be seen. 

It will be interesting to see how the Bill, and, more importantly, the ensuing security standards, fit with the EU's draft Regulation on cybersecurity of internet-enabled products which is also in early stages of the legislative process.  Many businesses will need to comply with both. 

Read more

Which products are caught?

Most of the obligations relate to "UK consumer connectable products" not previously available to UK consumers (and customers).  These are "Relevant connectable products" (see below) where either:

• the product is, or has been, made available to consumers in the UK and has not been supplied by a relevant person to any customer (whether or not in the UK) at any time before being made available in this way, or where
• products identical to those meeting the above condition are made available to UK customers who aren't consumers and the products have not been supplied by any relevant person to any customer (whether or not in the UK) at any time before being made available to those UK customers.

Relevant connectable products are:

• internet-connectable products
• network-connectable product ie products capable of both sending and receiving data which are not internet-connected but are capable of connecting directly to an internet-connectable product, or which are able to connect directly to two or more products at the same time using a communication protocol other than the internet, and are capable of connecting directly to an internet-connectable product by means of that communication protocol (whether or not at the same time as they connect to any other product).Wire-only connections are not relevant.

Certain products are excepted from the scope of the Bill, usually where their security is governed by other legislation. 

Who has to comply with duties in relation to relevant connectable products?

What are the relevant duties?

• Comply with relevant security requirements.
• Produce compliance statements.
• Duty to investigate and take action in relation to compliance failures where informed there is a failure or where they are aware or ought to be aware the product is or will be a UK consumer connectable product. This duty varies slightly depending on whether it applies to a manufacturer, importer or distributor.
• Where they are aware or ought to be aware of a compliance failure in a UK consumer-connectable product, take all reasonable steps to remedy the failure and/or prevent the product being made available in the UK. Again the extent of the duty depends on whether it applies to a manufacturer, importer or distributor.
• Notify the relevant enforcement authority and any relevant manufacturer, importer or distributor (as applicable) of the compliance failure.
• Notify individuals of compliance failures in situations mandated by the Secretary of State.
• Maintain records of compliance failures and investigations for a minimum of 10 years.

How will this be enforced?

Enforcement powers are initially given to the Secretary of State with scope to delegate them.  The expectation is that a regulator will be appointed.  The Bill provides for a range of enforcement powers including investigation powers, compliance notices, 'stop' and 'recall' notices to prevent further distribution of non-compliant products and recall those already on the market or in circulation, and monetary penalties.  The monetary penalties are up to a maximum of £10m or 4% of annual global revenue.

Next steps

The Bill now progresses to its second reading in the House of Commons and may face pushback on the high level of penalties proposed or on its scope. Property developers may be surprised to find they could be caught by distributor duties.  Most of all though, those potentially in scope will be waiting for more detail on relevant security standards, as well as for a comprehensive list of excepted products.