In 2018, the British government published its Code of Practice for Consumer Internet of Things Security (Code), concerning security issues that arise when developing, making and selling consumer products that are internet-enabled and so form part of the 'internet of things' (IoT) (eg smart TVs, alarm systems and home assistants) and, ultimately, setting the groundwork for targeted regulatory intervention.
The government's initial preferred approach was for the industry to self-regulate in this area but concerns around industry uptake of the Code, and ongoing security issues with IoT products, led to a series of consultations and, ultimately, the publication of the Product Security and Telecommunications Infrastructure Bill (PSTI Bill), now in its final stages and heading towards Royal Assent.
What is the PSTI Bill?
The PSTI Bill is in two parts:
- Part 1: creates a new regulatory scheme intended to make consumer connectable products more secure against cyberattacks (which is the focus of this article).
- Part 2: contains provisions intended to accelerate the deployment and expansion of mobile, full fibre and gigabit capable networks across the UK.
The PSTI Bill gives the Secretary of State the power to specify security requirements relating to "relevant connectable products" or to relevant connectable products of a specified description. These obligations will apply to "relevant persons" or relevant persons of a specified description (eg persons defined as a "manufacturer" in respect to a product). Businesses involved in making these products available in the UK (eg manufacturers, importers and distributors) will need to comply with these requirements.
The Secretary of State's powers are limited to being used to protect or enhance the security of relevant connectable products made available to consumers in the UK, or of the users of those products.
The Bill provides a non-exhaustive list of what, in addition to a physical device, a security requirement may apply to. This includes software related to a product which may or may not be installed on the product. The software may or may not be provided by the manufacturer of the product.
The Bill itself does not include what these security requirements will be. However, the Explanatory Notes indicate they will be technical in nature and that the initial security requirements are intended to align with the following standards from the Code to:
- ban universal default passwords
- implement a means to manage reports of vulnerabilities
- provide transparency on how long, at a minimum, the product will receive security updates.
What products are in scope of Part 1?
The Bill outlines that types of products that may be "relevant connected products" include:
- "internet-connectable products" which means a product that is capable of connecting to the internet
- "network-connectable products" which means a product that is (i) capable of both sending and receiving data by means of a transmission involving electrical or electromagnetic energy; (ii) is not an internet-connectable products; and (iii) meet the first or second connectability condition.
Clause 5 sets out when the connectability conditions are met.
The majority of obligations in the Bill apply to "UK consumer connectable products", which are defined in clause 54 as a relevant connectable product which either:
- captures a product that is or has been available to UK consumers and has not been supplied by a relevant person to any customer (whether in the UK or not) at any time before being made so available (ie is not used at the point at which it is made available to customers) (Condition A), or
- is or has been made available to customers in the UK who are not consumers; has not been supplied by a relevant person to any customer (whether in the UK or not) at any time before being made so available (ie is not used at the point at which it is made available to customers); and where products identical to it meet Condition A (Condition B).
A product may therefore meet the definition of UK consumer connectable product even if it is solely aimed at business customers. The Explanatory Notes' example scenario refers to a smart camera being advertised to business users but not to consumers in the UK because the distributor selling the camera only sells to businesses. However, products identical to it (eg a smart camera of the same make and model) have been advertised (ie made available) to consumers in the UK by another distributor. The product would be considered a UK consumer connectable product. This ensures that all products that may reasonably be expected to be used by consumers are subject to the same security requirements, even where a particular individual product has not been directly made available to consumers.
The Bill also contains provisions relating to "excepted products" which gives the Secretary of State the power to specify connectable products to which Part 1 will not apply but which would otherwise be within the regulatory scope of the legislation. The Explanatory Notes state that the government intends to except products where it would not be appropriate for them to be included, for instance, where including them would subject them to double regulation. Products likely to be exempted include smart metering devices, smart chargepoints, medical devices, and certain vehicles.
Who is caught by Part 1 of the PSTI Bill?
Clause 7 defines the entities to which the obligations set out in Part 1 will apply as manufacturers, importers and distributors of relevant connectable products.
- Manufacturer: a person who (i) manufacturers a product, or has a product designed or manufactured, and (ii) markets the product under their own name or trademark. A person who markets under their own name or trademark a product manufactured by another person is also a manufacturer.
- Importer: a person who (i) imports the product into the UK from another country, and (ii) is not a manufacturer of the product.
- Distributor: a person who (i) makes the product available in the UK, and (ii) is not a manufacturer or an importer of the product. Note: clause 7(6) provides that a person will not be considered a distributor if they make the product available by performing a contract for or including the installation of the product in a building or structure. This will only apply if products identical to the installed product are or have been made available to consumers outside of such a contract for their installation. The intention is to absolve small businesses whose ordinary business is not the sale of products (such as electricians etc) from the potentially burdensome obligations placed on distributors.
Manufacturers – key duties and obligations
These are set out in clauses 8-13 and include:
Duty to comply with security requirements where either: the manufacturer intends for, is aware that, or ought to be aware that, the product will be a UK consumer connectable product; or the manufacturer intended, was aware, out ought to have been aware that the product would become a UK connectable product at the point where the manufacturer made the product available. This provision ensures that the duty to comply with security requirements continues to apply when a product is in use by a customer.
Statements of compliance: a manufacturer may not make a consumer connectable product available in the UK unless it is accompanied by: a statement of compliance; or a summary of the statement of compliance in which the manufacturer states that in its opinion it has complied with the applicable security requirements. Where a product has more than one manufacturer, the statement of compliance may be jointly prepared by all manufacturers, but it is also possible for a single manufacturer to prepare the statement. The Secretary of State has powers to set out further requirements.
Duty to investigate potential compliance failures: a manufacturer must take all reasonable steps to investigate a compliance failure in relation to a product if they are informed that there is, or may be, a compliance failure relating to a product and if they are aware or ought to be aware that the product is or will be a UK consumer connectable product.
Duties to take action in relation to compliance failure: where a manufacturer becomes aware, or ought to be aware, of: a compliance failure in relation to the product; and that the product is or will be a UK consumer product, then as soon as is practicable, it must take all reasonable steps to prevent the product from being made available in the UK and remedy the compliance failure.
The manufacturer must also notify the following persons of the compliance failure as soon as possible:
- the enforcement authority
- any other manufacturer of the product of which the manufacturer is aware
- any importer or distributor to whom the manufacturer supplied the product
- in cases specified by the Secretary of State, any customer in the UK to whom the manufacturer supplied the product.
Any such notification must include: details of the compliance failure; any risks of which the manufacturer is aware that are posed by the compliance failure; and any steps taken by the manufacturer to remedy the compliance failure and whether or not those steps have been successful.
Duty to maintain records: manufacturers must keep records of compliance containing stipulated information for a minimum of ten years. The Secretary of State has the power to examine them under certain circumstances.
Importers – key duties and obligations
The Bill imposes equivalent obligations on importers as for manufacturers (set out in clauses 14-18) in relation to:
- duty to comply with security requirements
- statements of compliance
- duty to investigation potential compliance failures of an importer or manufacturer
- duties to take action in relation to the importer's compliance failure ( (although with more limited notification requirements than manufacturers).
In addition, under clauses 19 and 20, importers have the following duties:
Duty not to supply products where there is compliance failure by a manufacturer: an importer must not make a relevant connectable product available in the UK if it knows or believes that there is a compliance failure and intends for, is aware or ought to be aware that, the product will be a UK consumer connectable product. For example, this would apply where the importer is informed (or could reasonable have been made aware by third parties such as the press, regulators or security experts) that the manufacturer has not or is unlikely to have complied with relevant security requirements.
Duties to take action in relation to a manufacturer's compliance failure: where an importer becomes aware, or ought to be aware, of a manufacturer's compliance failure and is aware, or ought to be aware, that a product will be a UK consumer connectable product, then it must:
- contact the manufacturer about the failure as soon as possible
- where it appears to the importer that the compliance failure is not going to be remedied then the importer must take all reasonable steps as soon as is practicable to prevent the product from being made available to UK customers
- notify the enforcement authority, any distributor to whom the importer supplied the product and, in cases specified by the Secretary of State, any UK customer to whom the importer supplied the product.
Duty to maintain records of investigations: importers are required to keep records of any investigations into compliance failures, or suspected failures, relating to products for which they are an importer. Clause 20(3) ensures that the importer will not breach its record keeping duty due to actions of the manufacturer (provided that the importer has taken reasonable steps to obtain all the required information from the manufacturer).
Distributors – key duties and obligations
The Bill imposes equivalent obligations on distributors as for manufacturers under clauses 21- 24 in relation to:
- duty to comply with security requirements
- statements of compliance
- duties to take action in relation to the distributor's compliance (although with more limited notification requirements than manufacturers).
In addition, distributors have the following duties, set out in causes 23 and 25:
Duty not to supply products where there is compliance failure by a manufacturer- similar to the duty placed on importers.
Duties to take action in relation to a manufacturer's compliance failure: where a distributor becomes aware, or ought to be aware, of a manufacturer's compliance failure and is aware, or ought to be aware, that a product will be a UK consumer connectable product, then it must:
- contact the manufacturer about the failure as soon as possible
- where it appears to the distributor that the compliance failure is not going to be remedied then the distributor must take all reasonable steps as soon as is practicable to prevent the product from being made available to UK customers, and
- as soon as possible after the distributor has contacted (or attempted to contact) the manufacturer, notify: the enforcement authority; any importer or distributor to whom the distributor supplied the product; the person from whom the distributor obtained the product and; in cases specified by the Secretary of State, any UK customer to whom the distributor supplied the product.
The Secretary of State will be responsible for enforcing the provisions of Part 1 and any regulations made under it. Investigative powers are also available to the Secretary of State under Schedule 5 of the Consumer Rights Act 2015. Clause 26(4) amends paragraph 13(4) of Schedule 5 of the COnsumer Rights Act 2015 to allow the Secretary of State to:
- request relevant information both to determine that a breach has occurred and to ensure that penalties are correctly applied, and
- request that a manufacturer, distributor or importer supply product information without there needing to be a reasonable suspicion of a breach of the legislation.
The Secretary of State has the power to issue compliance notices, stop notices, and recall notices. Failure to comply with an enforcement notice is an offence under clause 32.
The Secretary of State also has the power to issue monetary penalties . The maximum monetary penalty issued for a single relevant breach is the greater of £10million and 4% of the person's qualifying worldwide revenue.
When will this become law and when will it apply?
The PSTI Bill is likely to achieve Royal Assent before the end of 2022. The majority of law is to be brought in by Regulations by the Secretary of State. At the time of writing, it is unclear as to what the exact timeframe will be, however, the government has said that businesses caught by this legislation which will be required to ensure that minimum product security requirements are met in relation to relevant products will be given time to enable a smooth transition to compliance. When the government makes a commencement order for relevant provisions in Chapter 3 of Part 1 of the Bill, it intends that the date of commencement will not be sooner than 12 months after Regulations are made to specify security requirements under clause 1.
What should affected businesses do now?
Businesses involved in the supply chain of consumer IoT products should consider the extent to which they will be considered manufacturers, importers or distributors under the incoming legislation, and determine whether products they are making available in the UK are likely to fall within the scope.
As the Bill itself does not specify the relevant security requirements, businesses will need to stay on top of any updates from the Secretary of State as to what these will entail. They should consider the key security priorities identified in the Code as a useful frame of reference for the time being.
The UK GDPR-level fines which can be imposed for non-compliance, should help focus businesses in the IoT supply chain on the detail of this law. Those selling cross-border will also need to consider local laws, not least the EU's incoming Cyber Resilience Act which we discuss here and which includes a similar aim of improving the security of consumer IoT products.