Staying safe while staying connected: Proposed legislation will enhance cyber security measures for smart devices

The use of smart devices, such as smart phones, fitness trackers and connected household appliances, has increased both in the UK and globally and the trend is expected to continue. Agile and remote working arising from the COVID-19 pandemic and the adoption of 5G technologies have only accelerated the process. As a result, the UK government are looking to parallel this evolution of technology by increasing the cyber security measures in place in relation to internet connected consumer technologies.

UK Government Proposals

Cyber security of network-connected products has been on the UK government legislative agenda for a number of years and, in January 2020, the government announced its intention to introduce legislation to ensure stronger security is built into such connected products. This was followed by a call for views on the proposed legislation in July 2020 and the government has now published a response to the views received, along with an outline of its key policy positions which will underpin the upcoming legislation.

The proposed legislation is intended to place on a statutory footing the international security standards accepted by the UK and set out in previous government guidance, rather than to impose entirely new requirements. The security requirements, as further detailed below, will therefore be familiar to manufacturers and other actors across the industry.

The proposed legislation will establish a baseline security level for smart products to meet before they can be made available to consumers on the UK market. There are three key technical security requirements set out in the proposed legislative framework that must be implemented for consumer smart products to meet the security baseline, namely:

  1. not using universal default passwords;
  2. implementing a means to manage reports of vulnerabilities; and
  3. providing transparency on how long, at a minimum, the product will receive security updates.

In addition, there is an emphasis on flexibility to make changes to the requirements. Cyber security is a rapidly developing area so the intended legislation will need to be adaptable and fluid enough to keep up with the continuing development of technology and the connected products market, the evolving techniques employed by malicious actors, as well as the broader regulatory landscape.

What will the proposed legislation do?

As mentioned above, the proposed legislation will set a minimum baseline level of cyber security for smart devices. If a device does not meet the minimum security level, it may not be sold or otherwise made available to consumers in the UK. The legislation will be relevant to manufacturers, authorised representatives and importers as well as wholesalers and retailers of consumer connected devices.

The proposed legislation will apply to network connectable products and associated services supplied to consumers. This includes devices which already are a feature in many people’s homes such as: smart speakers, smart televisions, connected doorbells and smartphones. Certain products will be exempt from the proposed legislation – initially this is planned to include desktop computers, laptops and smart meters, however the government will be able to make changes to the exempt product classes.

What are the security requirements? 

The focus of the proposed legislation will initially be on the following security requirements:

  • Banning universal default passwords: this will include all device passwords, including passwords used in the build / architecture of the device and passwords on pre-installed apps.
  • Vulnerability reporting: providing for a mechanism for manufacturers to be made aware of security vulnerabilities, so that fixes can be implemented.
  • Provision of information to consumers on how long the device will receive security updates: this is to promote consumer awareness about cyber security issues and to enable informed purchasing decisions.

There will be two possible ways to meet the security requirements - either through meeting the requirements as set out in the legislation (these will align closely with the key points of the government’s Code of Practice for Consumer IoT Security and the ETSI European Standard (EN) 303 645) or by meeting an equivalent designated security standard.

Based on the consultation responses received, the security requirements set out in the proposed legislation may not be straightforward for those affected to implement and are likely to require changes to the product design process, resource requirements and could result in increased time to get the products to market.

Under the proposed legislation, the government will also have flexibility, both in terms of security requirements and designated standards (which may be updated to meet specific challenges) as well as enabling additional product assurance obligations to be implemented for specific product categories in the future.

How will the legislation be enforced? 

An enforcement authority will be set up with powers to investigate non-compliance, take enforcement action and impose sanctions if required. The authority will also provide support to organisations to enable them to meet their obligations regarding cyber security. 

What happens next?

The UK government is currently drafting the legislation, though there are no definitive timescales for when it will be introduced into Parliament. While the detail outlined in the above policy positions provides a good indication of the key structure and content of the proposed legislation, the final legislation may differ from the proposals. Manufacturers, importers and distributors of consumer connected devices should therefore watch this space.

How can we help?

If you have queries in relation to Cyber Security, please get in touch with a member of our specialist Data Protection & Cyber Security team.

This article was written by Clare Tuohy, Trainee Solicitor.

Latest updates from @MacRoberts

  • Huge congratulations to Rebecca Cox in our Corporate Finance team who has been shortlisted for the Rising Star of t… 2 hours ago
  • MacRoberts is delighted to be shortlisted at this year’s Scottish Legal Awards! We're up for Firm of the Year & t… 20 hours ago
  • Have you and your partner been considering moving in together? Are you aware of the legal implications that this ma… 29/07/2021
  • Following a consultation in 2019, the UK Government has outlined its intention to introduce a mandatory duty on emp… 29/07/2021
  • Our award-winning Family Law team can help you and your partner through difficult situations by providing support w… 27/07/2021
  • To celebrate the Olympic Games in Tokyo, we're delighted to launch our latest sporting challenge in support of our… 23/07/2021
  • MacRoberts is recruiting! We are currently looking for a Real Estate Planning Solicitor to join the MacRoberts tea… 23/07/2021
  • The countdown is on! With just 100 days to go, we’re looking forward to #COP26 in Glasgow! ♻️ As a firm accredite… 22/07/2021
  • Has lockdown led you to consider a move to the countryside? From discussing a possible purchase to obtaining the… 22/07/2021
  • Have you seen our latest vacancies? 💼 We currently have opportunities in various departments across the firm. Fin… 21/07/2021
  • Acas has published new guidance for employers with helpful information on #flexibleworking & #hybridworking. With t… 20/07/2021
  • Busting the myth that a career in law is only for the privileged few: @marikaflawyer is speaking at this morning’s… 19/07/2021
  • MacRoberts is recruiting! We are currently looking for a Support Services Assistant to join our team in Edinburgh.… 16/07/2021
  • MacRoberts is pleased to have been part of the team advising @HV_Systems in its £5m capital boost from Beehive Equi… 15/07/2021
  • MacRoberts is recruiting! We are currently looking for a NQ Solicitor to join our Conveyancing & Private Client te… 14/07/2021