It is estimated that UK homes have over 1.2 million consumer ‘smart’ products that are connected to the Internet (‘Devices’). These Devices are inherently insecure and they can easily be compromised in a wide variety of cyber-attacks, putting people’s safety, money, and personal data at risk.
Examples of these attacks include the use of ‘botnets’ to hack into a device and/or network to deny the user access through a ‘distributed denial-of-service attack and/or to steal personal data, including bank and other sensitive information.
Following its 2019 public consultation on proposals to introduce legislation to regulate cyber-security of consumer Devices, the government tabled the Product Security and Telecommunications Infrastructure Bill (‘Bill’), which had its first reading in the House of Commons on the 24th of November 2021.
The Bill has two parts. The first deals with the security of Devices, while the second 2 updates the law relating to the siting and use of telecommunications infrastructure. Part 2 is not covered in this article.
Part 1 of the Bill aims to:
- Require manufacturers, importers, and distributors to ensure that minimum security requirements are met in relation to consumer connectable products that are available to consumers; and
- Provide a robust regulatory framework that can adapt and remain effective in the face of rapid technological advancement, the evolving techniques employed by malicious actors, and the broader international regulatory landscape.
Clause 1 of the Bill provides:
- Ministers with powers to specify and amend minimum security requirements in relation to consumer connectable products;
Place duties on the manufacturers, importers, and distributors (‘Relevant Persons’) that must be complied with in relation to these products; and
- Provide powers to allow breaches of these duties to be enforced against.
What duties does the PSTI impose on devices?
The duties imposed on Relevant Persons apply to Devices placed on the market in the UK whether or not those Devices were manufactured in the UK. The result is that Relevant Persons could be faced with enforcement action and/or damages claims in relation to Devices, the manufacture of which was outside their control.
The Bill itself provides a complex definition for Devices but the Explanatory Notes that accompany the Bill state that Devices are products made available on the UK market to connect to, or those intended to be connected to the internet or other networks, that can transmit and receive digital data. These products include IoT-connected alarms, connected baby monitors, smartphones, smart speakers and smart TVs.
The Bill makes provisions for products to be exempt from the Bill’s requirements (i.e. medical devices, which are already covered by other legislation). The government has not yet indicated what products will be exempt, but experts believe desktop and laptop computers will not be within the Bill’s scope.
The proposed regulations will be made under the ‘negative resolution procedure’. Under this procedure, draft regulations are tabled in both houses of parliament and if not challenged within 40 days, they become law. If challenged, the regulations will be voted on in parliament, but with the Government’s large majority in both houses, they would still become law.
PSTI Security Requirements
The Bill does not define the required Device security requirements but instead Clause 1(1) provides the Secretary of State with power to make regulations that the government intends to use to place the of the original security requirements contained in the Department of Digital, Culture, Media and Sport 2018 Code of Practice for Consumer IoT Security (‘Code’) and the European security standard EN 303 645 (‘Standard’) in to law.
As yet, the government has not given any indication of what these security requirements will entail but, the product security factsheet that accompanied the Bill provides that the Code provisions that will be included are:
- Banning default passwords;
- Requiring products to have a vulnerability disclosure policy; and
- Requiring transparency about the length of time for which the product will receive important security updates.
The obligations imposed on each of the Relevant Persons by the Bill and which are currently contained in the Code and Standard differ, but they broadly include a duty to:
- Comply with security requirements;
- Investigate and take action in relation to compliance failures; and
- Maintain records.
Further duties that are not imposed on all Relevant Persons include a duty to:
- Issue a statement of compliance;
- Take action on a manufacturer’s compliance failure; and
- Not to supply products where there is another Relevant Person’s compliance failure.
The Explanatory Notes accompanying the Bill state that the security requirements to be included in regulations represent the minimum security requirements that must be complied with in relation to a Device.
Clause 3 of the Bill allows the Secretary of State to specify the standards to which Relevant Persons must comply and European Standard EN 303 645 is cited as being a standard which, when complied with, will constitute compliance with the Bill’s security requirements.
How will the PSTI be enforced?
The Bill provides the Secretary of State with powers to enforce the PSTI Act (‘Act’) and regulations made under the Act. However, Clause 27(1) of the Bill gives the Secretary of State the power to delegate enforcement to one or more regulators and as Parts 1 and Part 2 relate to different areas of law, the likelihood is that separate regulators will be given the power to enforce the two parts of the Act.
It is likely that Part 1 of the Act will be regulated by the Office for Product Safety and Standards (‘OPSS’), part of the Department for Business, Energy & Industrial Strategy (‘BEIS’), which was created in 2018 specifically to nationally enforce on product safety through research, co-ordinating intelligence gathering and undertaking checks on unsafe products at UK ports and borders.
Whoever regulates the Act, they will have significant enforcement powers those to investigate, issue enforcement, stope and recall notices and issue fines of up to the greater of £10 million and 4% of an organisation’s worldwide turnover.
Implications for Relevant Persons
The Bill provides little detail on Relevant Person’s duties but it is clear from the government’s publications to date that the Act is likely to be far more complex than first appears and once in force, Relevant Persons face significant financial, enforcement and reputational liability for breach of the Act.
The majority of Devices are manufactured outside the UK and virtually all the parts are manufactured overseas, beyond the reach of UK regulators (and possibly its courts). It is essential therefore, that even at this early stage in the Bill’s parliamentary journey, Relevant Persons and their customers consider how they are going to impose obligations contractually or otherwise on their suppliers, to enable them to comply with the Act’s provisions when it comes into force, possibly as early as late 2022.
UK Device manufacturers, importers, and distributers who fail to adapt to ensure Devices, or device parts that they import or distribute could be liable to enforcement action and claims for damages arising from their breach of the Act.
If your business needs help getting ready for the PSTI bill, attend our free webinar on the 25th January at 12:00pm. Register now at httpss://webinars.360lawgroup.co.uk/psti
Written by David Sinclair, Information Law Solicitor