‘Smart’devices – possible new UK cyber-security law

The UK government has proposed a new cyber-security law for devices that connect to the ‘Internet of Things’ - like ‘smart’ TVs and speakers. The proposals could affect IoT device manufacturers, IoT service-providers, mobile app developers and retailers.

The proposal is part of the UK’s strategy to focus on innovation and be at the forefront of the AI and data revolution. And it’s another step towards codifying 'compliance by design’ – where legislators are trying to ensure that strong governance principles are embedded within new tech.

The proposal – a new self-certification scheme to reduce hacks and help consumers 

In 2018, the government published a voluntary code of practice on IoT security. It now wants to make parts of the code legally binding, as it still sees ‘significant shortcomings’ in many IoT products on the market. It proposes making the ‘top three’ elements of the code into legal requirements, namely:

1. All IoT device passwords must be unique and not resettable to the ‘factory default’;

2. Device-makers must provide a public point of contact so security researchers can report any flaws; and

3. Device-makers must explicitly state the minimum length of time for which a product will receive security updates.

Device-makers would have to self-certify that they complied with the ‘top three’ and add a label to their products to that effect.  Retailers would be permitted to sell only IoT devices that have the label. This is the government’s preferred route, but it also suggests other options, including a more stringent one that would require compliance with the full code. The government is asking for input on all options.

What might the proposals mean for business?

The proposals could be good news for businesses, by encouraging uptake of their products. Consumer confidence in connected devices has certainly been affected by high-profile hacks – like those on connected toys, and the 2016 internet meltdown caused by hacking insecure routers, IP cameras and other connected devices. 

And if manufacturers can have more faith in others’ products, this might also help promote innovation and collaboration.

But there would be an increased compliance burden on manufacturers (and retailers). It’s possible that this might keep smaller businesses out of the market. However, it’s probably safe to say that the ‘top 3’ protections don’t amount to cutting-edge cyber-security – we’d expect many businesses to be able to self-certify fairly easily. That might change if further legal requirements are added – and the government has said that it ultimately wants to bring the full code into law. 

If nothing else, the appearance of a new ‘kitemark’-type label should raise consumer awareness of cyber security generally.

What should businesses do now?

Businesses might want to consider responding to the consultation - it’s open until 5 June 2019.  (If you’d like help in drafting a response, feel free to contact us.)

As the government has said that it might bring the full code into law, it’s worth considering if your business might start complying fully now – in any event, that would enable you to differentiate yourselves from competitors. And for any business that suffers a hack and comes under review by a regulator, compliance with the code might serve to reduce any sanction. 

Finally,  if you’re buying an IoT business, it’s worth checking whether it already complies with the code as part of your cyber security due diligence