Among a number of tech sector related proposals announced in the recent Queen's Speech, were the Government's plans, 'as soon as parliamentary time would allow' to legislate to create a legal obligation of 'security by design' in respect of consumer Internet of Things connected devices ("Consumer Connected Devices"). In this briefing we take a look at what sort of devices and who the proposed legislation will apply to, and what will be required to comply.
Security by design for consumer connected devices
We wrote a couple of years ago about the Government's call for views on introducing security requirements for I of T products. That call for views and consultation has resulted in where we are today, with the Government's current proposals.
There are a number of policy objectives behind the proposals:
- Protecting and continuing to protect citizens, networks and infrastructure from harm;
- Enabling emerging tech to grow and flourish by improving security and increasing consumer confidence;
- Adopting a proportionate approach to placing obligations on various parts of the market.
As yet there is no draft legislation; simply the policy proposals put forward by the Government, which will be followed by draft legislation 'when Parliamentary time allows for it'.
What do the proposals apply to?
The proposed legislation will apply to any network-connectable devices and their associated services that are made available to consumers, or primarily to consumers. By way of example, smart phones, connected cameras, TVs and speakers, toys and baby monitors, and connected appliances such as washing machines and fridges will be caught. The definition of 'made available' is broad, so that it catches any such products sold (online or offline), given away as a gift or a promotion, paid for on hire purchase, included as part of an insurance policy, or traded for other goods or services.
Some products which would otherwise have fallen within the above group will be exempted, on the basis that security obligations already apply via existing or planned alternative regulation (eg smart meters), where they have been deemed inappropriate to include until additional engagement and analysis is carried out (eg lap tops, desk top computers, and tablets without a cellular connection), or because imposing obligations would be impractical (eg second hand products).
What's in scope and out has been left flexible – the Government will have room to update the list of product classes which are exempt from the regulation – by adding new product classes, or taking some product classes off the exempt list and bringing them within scope of compliance.
Who do the proposals apply to and what do they have to do to comply?
The overall objective is to ensure that no Consumer Connected Device enters the UK market unless it incorporates basic cyber security measures. This will impact operators at different levels of the market in the following ways:
Manufacturers can only place Consumer Connected Devices on the market in the UK if they comply with specific security measures (please see grey box below for what these are).
Manufacturers based outside the UK will need to appoint an authorised representative in the UK, or where none has been appointed, the importer will need to fulfil the manufacturer's obligations.
Manufacturers will also have to publish a publicly available declaration of conformity, "take action" if they place a product on the market that is not compliant with security requirements or designated standards, which implies that product recall may be required, and co-operate and comply with the enforcement authority.
For those products which are manufactured outside the UK, as many will be, but where the manufacturer has not appointed an authorised representative in the UK, the importer of the products will be the organisation first making the products available on the UK market. It will therefore need to comply with the core obligations that would otherwise fall on the manufacturer.
Wholesalers and retailers will also have some responsibility: they will have to verify that manufacturers whose products they sell, have published a declaration of conformity, and also co-operate and comply with the enforcement authority.
These requirements largely align with other EU-derived product requirements which already apply to the types of electronic goods in the scope of this proposal, but with one significant omission: there is no requirement for conformity marking using the UK's new CA mark equivalent to the EU CE mark.
There is no indication that third party conformity assessment will be required.
Three basic security requirements will apply to Consumer Connected Devices:
- A ban on universal default passwords – as these are easy to guess. This includes those passwords set in apps which are incorporated into the product and provided by a third party.
- A system will need to be set up so that vulnerabilities which are discovered can be reported to the manufacturer so that issues can be addressed.
- Transparency as to the minimum period for which devices will be protected through the issuing of security updates.
Ministers will also have the flexibility to introduce further requirements in response to new threats which emerge. For example, new requirements may become necessary in areas such as user authentication, protection of data at rest and in transit, security design principles, production of information and guidance to consumers.
An alternative route to demonstrate conformity will be compliance with specified standards, rather than the specific security requirements set out in the legislation (which may be an easier route to conformity for overseas based manufacturers).
In this respect, the UK is following the EU's system of publishing "harmonised standards", compliance with which gives rise to a presumption of conformity with the legislation; this system will already be well known to suppliers to the EU market.
There will be an enforcement authority (though at present there has been no confirmation as to which authority will take on this role) which can investigate, take action and guide businesses in how they should comply. Emphasis will be on encouraging voluntary compliance where possible, with an ability to ramp up to more serious consequences for continuing failure to comply. It is not yet clear exactly what sanctions for non compliance will be, but they will include forfeiture of goods and financial penalties.
The legislation has yet to be drafted, however, it is anticipated that while there will be grace periods, they may well be short (the Government's original proposals suggested a period of between 3 months and 9 months for the various security requirements). Many manufacturers may well already be on top of this, given that the mandatory security requirements align with the top three guidelines from DCMS' 2018 Code of Practice for Consumer I o T Security, and provisions within ETSI European Standard (EN) 303 645 (though the latter is not yet an EU harmonised standard).
These proposals fall firmly within the Government's Top 10 Tech priorities for the economy and are designed to help shore up our resilience to cyber attacks, encourage trust in new tech and the use of data relating to it, which will in turn (it is hoped) help to encourage more businesses and entrepreneurs to get involved and innovate.
The proposals are one of a number of outputs from the Top 10 Tech priorities, including the National Data Strategy, the Government's plans for a National AI Strategy, due to be published later this year, and the Online Safety Bill which will impose legal obligations on online platforms to regulate content more effectively against the risks of online harm.
The proposals are also significant as, when passed, they will be the UK's first home-grown product rules, post-Brexit. In itself, this raises interesting questions such as whether the UK will directly port across detailed EU guidance on concepts like "making available on the market" and the roles of actors in the supply chain, which will become common to both jurisdictions. The EU does not yet have any equivalent rules in place, but is expected to pass new regulations under the Radio Equipment Directive to tackle data and privacy security issues for connected devices, and also, over the longer term, to propose horizontal legislation with broad scope to capture a range of cybersecurity issues for consumer connected devices.
FOR FURTHER INFORMATION, PLEASE CONTACT
- Head of Risk & Operational Regulatory
- +44 20 7295 3205
- Email Me
- +44 20 7295 3764
- Email Me
- Knowledge Counsel
- +44 20 7295 3241
- Email Me
- +44 20 7295 3496
- Email Me