Risks of 4% maximum fines (plus £20k maximum daily fines) will arise for organisations that make, import or distribute any internet/network-connectable products for UK consumers (and, in some situations, UK businesses) – including smartphones and Internet of Things devices such as smartwatches, games consoles, smart speakers, sound systems, TVs and cameras, smart appliances such as fridges, ovens, microwaves, dishwashers, light bulbs, thermostats or thermometers, connected baby monitors or toys, connected doorbells, locks, security cameras or alarms, smart home hubs, voice-activated assistants and home control systems, and wearable connected technology such as fitness trackers. The EU plans to legislate on these areas too, under its proposed Cyber Resilience Act.
What new law has been enacted?
New security-related requirements will be imposed under the Product Security and Telecommunications Infrastructure Act 2022 (the Act), which became law in December 2022 with relatively little fanfare. Some exceptions apply to avoid dual regulation (for example, for smart meters, medical devices, vehicles). It also covers telecommunications infrastructure, but this will not be discussed in this article. Under the Act, manufacturers, importers and distributors have:
- a duty to comply with the relevant security requirements;
- a duty to provide a product "statement of compliance" regarding the security requirements, with summary;
- a duty to investigate potential compliance failures (i.e. compliance with the security requirements) about which the organisation has been informed, including importers having to investigate potential failures on the part of the manufacturer;
- a duty to act on compliance failures, including discontinuing product availability, remediation, notification of the failure not only to the enforcement authority but also others in the supply chain, and possibly UK customers;
- a duty to maintain records of compliance failures and investigations into actual/potential failures;
- (importers/distributors only) a duty not to supply products if it knows or believes there is a compliance failure by the manufacturer and to contact the manufacturer ASAP about such compliance failure. If it appears unlikely that the compliance failure will be remedied by the manufacturer, as soon as practicable to take all reasonable steps to prevent the product from being made available to customers in the UK and make notifications to the enforcement authority, distributors/importers, possibly UK customers too.
As flagged above, it is not only manufacturers that will be in scope. As the UK government stated, it will also apply to "other businesses, including both physical shops and online retailers which enable the sale of millions of cheap tech imports into the UK. Retailers will be forbidden from selling products to UK customers unless they meet the security requirements and will be required to pass important information about security updates on to customers."
Most of the Act will not apply yet (not until regulations are made to bring them into force). However, when that happens, security requirements specified in those regulations will have to be met by organisations that are in scope, or whose products are in scope. Given their different roles, it is likely that different specific security requirements will apply to manufacturers, importers and distributors separately under the regulations, but they will always be subject to the duties mentioned above.
What enforcement action is possible?
The maximum penalty for non-compliance with a duty, under penalty notices, is either £10 million or 4% of the qualifying worldwide revenue for the non-complying organisation's most recent complete accounting period (including group revenues if provided by regulations), whichever is the greater. So, there are potentially GDPR-level fines here, and more because of the additional maximum £20,000 daily penalty that could be imposed if the non-compliance continues after the end of the period specified for payment of the fixed penalty.
As well as penalty notices, the enforcement authority (UK Secretary of State or to whoever it delegates its enforcement functions) can also issue:
- compliance notices ordering compliance within a given period;
- stop notices to prevent breach of a relevant duty; and/or
- recall notices requiring product recalls,
(all appealable, with possible compensation for stop/recall notices wrongly given).
Non-compliance with any of these enforcement notices (compliance, stop or recall) is a criminal offence subject to a fine (with an "all reasonable steps to comply defence"). Directors/officers are also criminally liable if that offence was committed with their consent/connivance or attributable to their neglect.
In addition, information about compliance failures and/or enforcement action can be made public, products can be directly recalled and destroyed (with payment to returning customers), and court orders for forfeiture of products are possible.
What security requirements will have to be met?
While the relevant regulations have not yet been issued, it is expected that manufacturers will, as a minimum, be required to:
- not use the same universal default passwords for all their products (like "admin" or "password", easily guessed by cybercriminals!). Passwords will have to be unique and not resettable to any universal factory setting;
- have a vulnerability disclosure policy for products and a public contact point, enabling third parties (such as customers or security researchers) who identify any security weaknesses (such as bugs) in the product to report them to the manufacturer; and
- provide transparency up front, at the point of sale, on whether the manufacturer will provide security updates for the product, and for how long it will do so.
These requirements derive from the UK government's 2018 voluntary Code of Practice on Consumer IoT Security (the Code) (with mapping). The UK decided to legislate on these issues after consultation, due to poor compliance with the Code. The Code was, in turn, based on European standards organisation ETSI's standard Cyber Security for Consumer Internet of Things: Baseline Requirements (ETSI EN 303 645, now in V2.1.1).
So, it is not unlikely that other requirements from the Code or ETSI's standard will also be turned into legal requirements under the Act, in future if not in the first set of regulations issued, and namely to:
- keep software updated;
- securely store credentials and security-sensitive data;
- communicate securely (encryption in transit etc.);
- minimise exposed attack surfaces;
- ensure software integrity;
- ensure personal data is secure and protected (privacy notices etc. – a challenge with IoT devices that lack screens!);
- make systems resilient to outages;
- monitor system telemetry data for security anomalies (bearing in mind this probably involves processing personal data too);
- make it easy for consumers to delete personal data;
- make installation and maintenance of devices easy; and
- validate input data.
What is the timing/deadlines?
The UK government said in 2021 that it would provide "at least 12 months' notice to enable manufacturers, importers and distributors to adjust their business practices before the legislative framework fully comes into force."
However, we will not know the exact timing until the relevant regulations are issued, and 12 months is a relatively short timescale to check and update manufacturing and other processes, so it makes sense for importers and distributors as well as manufacturers to start preparing now, particularly given that the EU is proposing similar and, in some ways tougher, legislation.
What are the key practical action points?
Manufacturers, importers and distributors of smart/connected products for UK consumers should:
- monitor for regulations to be issued under the Act, analyse their scope and requirements when issued, and also monitor the progress of the EU Cyber Resilience Act and its requirements if supplying such products in the EEA market, as its scope and requirements will be different, so clients caught by the Act will need to consider how to approach compliance with UK and EU requirements, which may require compliance with the highest common denominator, and plan for this;
- (manufacturers only) gear up for at least ensuring their products meet the three key security requirements mentioned above (including a process for handling vulnerability reports received), as well as the other requirements under the Code and ETSI standard, considering ETSI's test specification which may be useful, as well as (if relevant) ETSI's newer security requirements for home gateways;
- (importers and distributors only, such as retailers) not only institute policies and processes for responding to reports of manufacturers' security issues or their own compliance issues and associated record-keeping, but also policies and processes for handling recalls, stopping sales, making notifications to the enforcement authority etc. (such as when customers report security issues directly to the importer/distributor). As importers and distributors will be directly exposed to fines etc. under the Act so, when taking out or renewing contracts with manufacturers or non-UK exporters, they should also consider building in appropriate warranties/indemnities, and consider the availability of insurance for their potential liability under the Act.