November 29, 2021
The Government says that the proposed new law will require manufacturers, importers and distributors of digital tech that connects to the internet or other products to make sure they meet tough new cyber security standards, with heavy fines for those who fail to comply.
The Government says that on average, there are nine connected tech products in every UK household, and forecasts suggest there could be up to 50 billion worldwide by 2030. Only one in five manufacturers have appropriate security measures in place for these connectable products. Cyber criminals are increasingly targeting these products. A recent investigation by Which? found a home filled with smart devices could be exposed to more than 12,000 hacking or unknown scanning attacks from across the world in a single week.
Currently the makers of digital tech products must comply with rules to stop them causing people physical harm from issues such as overheating, sharp components or electric shock. But there is no regulation to protect consumers from harm caused by cyber breaches, which can include fraud and theft of personal data. The PSTI Bill will counter this threat by giving ministers new powers to bring in tougher security standards for device makers. This includes:
- a ban on easy-to-guess default passports that come preloaded on devices, such as “password” or “admin”, which are a target for hackers; all passwords that come with new devices will need to be unique and not resettable to any universal factory setting;
- a requirement for connectable product manufacturers to tell customers at the point of sale, and keep them updated, about the minimum amount of time a product will receive vital security updates and patches; if a product does not come with security updates, then that must be disclosed; and
- new rules that require manufacturers to provide a public point of contact to make it simpler for security researchers and others to report when they discover flaws and bugs in products.
The Bill also places duties on in-scope businesses to investigate compliance failures, produce statements of compliance, and maintain appropriate records of this.
This new cyber security regime will be overseen by a regulator, which will be designated once the Bill comes into force and will have the power to fine companies for non-compliance up to £10 million or four per cent of their global turnover, as well as up to £20,000 a day in the case of an ongoing contravention.
The regulator will also be able to issue notices to companies requiring that they comply with the security requirements, recall their products, or stop selling or supplying them altogether. As new threats emerge or standards develop, ministers will have the power to mandate further security requirements for companies to follow via secondary legislation.
The new laws will apply not only to manufacturers, but also to other businesses including both physical shops and online retailers. Retailers will be forbidden from selling products to UK customers unless they meet the security requirements and will be required to pass on to customers important information about security updates.
The Bill applies to “connectable” products, which includes all devices that can access the internet, such as smartphones, smart TVs, games consoles, security cameras and alarm systems, smart toys and baby monitors, smart home hubs and voice-activated assistants and smart home appliances, such as washing machines and fridges. It also applies to products that can connect to multiple other devices but not directly to the internet, e.g., smart light bulbs, smart thermostats and wearable fitness trackers.
The Government intends to exempt some products, for instance, where it would subject them to double regulation or not lead to material improvements in product or user security, e.g., vehicles, smart meters, electric vehicle charging points and medical devices. Desktop and laptop computers are also not in scope as they are served by a mature antivirus software market, unlike smart speakers and other emerging consumer tech.
Second-hand connectable products will also be exempt due to the impractical obligations that including them would put on consumers and businesses disproportionate to the likely benefits. However, the Bill gives ministers powers to extend the scope of the Bill as cyber threats and risks change in future. To read the Government’s press release in full and for further information, click here. To read the accompanying factsheet, click here.