Product safety blog: In Safe Hands

The Product Security and Telecommunications Infrastructure Bill – an important development in UK IoT cybersecurity law

The UK Government has recently introduced the Product Security and Telecommunications Infrastructure Bill (PSTI), which aims to protect consumer connectable devices from cyber-attacks.

Background

It follows the UK Government’s Code of Practice published in 2018 (which in turn influenced the EU’s ETSI EN 303 645 cybersecurity standards for IoT devices). The Code sets out 13 guidelines for manufacturers to follow as good practice for ensuring greater cybersecurity of Internet of Things (IoT) products including designing products without default universal passwords, and timely software updates.

The PSTI is a key development in the UK’s commitment to improving the cybersecurity of products as detailed in its response to its calls for views on a proposed domestic legislation focusing on the cybersecurity of products (found here).

It also forms part of a series of proposed legislation in the UK and EU such as the proposed EU’s revised GPSD regulations (as discussed in our article, here).

The PSTI, however, promises to be more focused on cybersecurity than other more general legislation, as Part 1 of the draft Bill is dedicated to the cybersecurity of products whilst Part 2 concerns telecommunications infrastructure with the aim of expediting negotiations between land owners and mobile network providers to achieve the government’s 4G, 5G, and broadband coverage strategy.

This article focuses on Part 1.

Definitions of technical terms

Internet of Things (IoT): A network of separate but interrelated devices that have unique identifiers and the ability to transfer data over a network without requiring human-to-human or human-to-computer interaction.

Exfiltrate: An unauthorised transfer of data from a computer or other device.

Ransomware: A type of malware that encrypts data which is then used to demand a ransom from the victim.

Key proposals

The primary points for consideration in Part 1 of the draft Bill are:

Defining applicable products

The PSTI applies to consumer connectable products which the Bill defines in a rather convoluted fashion jumping between relevant sections of the Bill, but the explanatory note helpfully defines it as “consumer products which can connect to the internet or other networks, and can transmit and receive digital data” and clarifies that such products are also called Internet of Things devices.

Examples include smart TVs, security cameras, and alarm systems.

Proposed exempted products are second-hand consumer connectable products given the impractical obligations that businesses and consumers would face in complying with the PSTI’s requirements.

Granting powers to specify product requirements

The PSTI grants the Secretary of State for Digital, Culture, Media And Sport the power to specify requirements and ensure the minimum requirements are complied with, along with setting out how such powers can be exercised.

Initial security requirements are aimed towards achieving:

  1. A ban on universal default passwords that are easy-to-guess.
  2. A requirement to inform customers from the outset about the minimum amount of time until a product will receive crucial software updates. If the product does not come with these security updates, customers will need to be informed of this.
  3. An implementation by product manufacturers of a process to allow security researchers (and other public users) to report design flaws or bugs in their products.

Duty of relevant persons

The PSTI defines relevant persons as:

  • Manufacturers
  • Importers
  • Distributors

Applicable duties include requiring statements of compliance to accompany a consumer connectable product before making them available in the UK market, investigating a potential compliance failure by an importer or manufacturer, and taking corresponding action to remedy such failure(s).

Enforcement powers

The principal enforcement powers and actions are:

  • The Secretary of State’s powers to enforce, and delegate enforcement functions.
  • Compliance and stop notices.
  • Fines of £10 million or 4% of global revenues (similar to the GDPR).

Why these proposals are deemed necessary

The government rationale for drafting the PSTI centres around the large number of IoT devices that continue to be reported as possessing inadequate cybersecurity which leaves consumers vulnerable to cyber-attacks. Poor cybersecurity allows for a point of entry for attackers to enter into the victim’s network and exfiltrate data as part of a ransomware attack.

Consumers often assume that all IoT devices are secure because they would not be for sale otherwise, and their lack of understanding concerning cybersecurity features in devices is another underlying reason for the PSTI.

The Bill’s stage and how companies can prepare

As of the date of this article, the PSTI is entering the second reading stage in the House of Commons which is only the second of the twelve stages required for legislation to be passed. Although these are very early stages, manufacturers, in particular, should start to prepare by ensuring their products are broadly aligned with the Code of Practice 2018 guidelines and the EN 303 645 to ensure compliance and a smooth transition for when the final Act is passed.

This Bill has the potential to be hard-hitting to parties throughout the product lifecycle should it be passed in its current form. Legal advice on the development, and applicability, of this Bill and other similar legislation is recommended.

Product safety blog

More from the blog...

Blog

The EU’s AI Act And Product Safety

19/02/2024

Blog

Tougher EU Rules On Green Claims Coming Down The Tracks – What To Expect

19/02/2024

Blog

UK’s Strengthened Post-Market Surveillance Requirements for Medical Devices

09/11/2023

Blog

Is the end to fast fashion nearing?

11/07/2023

View more

Services

Locations