New rules for consumer product security and telecoms infrastructure

The government tabled a bill towards the end of last year to update the country’s technology laws, providing potential £10 million fines for manufacturers, importers or distributors of consumer connectable devices who fail to adequately secure those devices.

Consumer Product Security – Internet of (Secure) Things

The government’s announcement of the bill notes that there could be up to 50 billion connectable devices in the world by 2030, and currently on average there are 9 in each UK household – smart speakers, voice assistants, smart TVs etc. However, connectable devices always represent a potential threat to any network they may be connected to, for instance websites have been found to be hosting footage from baby cameras, webcams and domestic CCTV without the camera owners’ knowledge.

The Product Security and Telecoms Infrastructure Bill (PSTI) will seek to regulate such devices by setting out minimum security standards for manufacturers, importers and distributors; these provisions will apply 12 months after the bill enters law. The standards will include features such as:

  • Unique, non-default passwords;
  • Indicated periods of support for security updates; and
  • Vulnerability disclosure policies for products, to ensure vulnerabilities are properly flagged and fixed.

Any organisation involved in the consumer connected goods supply chain will need to follow developments closely – non-compliance will have a potential maximum fine of £10 million, or 4% of annual worldwide revenue, comparable to mishandling personal data under the GDPR.

Further reading and queries

The text of the bill and the government’s guidance can be found here. If you have any queries about the bill, please contact Suzie Miles, Partner in Ashfords’ Commercial Technology team.

Send us a message